Directory Traversal Vulnerability in GitHub Workflows by Black Lantern Security
CVE-2026-12567

2.2LOW

Key Information:

Vendor: Black Lantern Security
Status: Bbot
Vendor: CVE Published:; 17 June 2026

🔔 Create Black Lantern Security Vulnerability Alert

What is CVE-2026-12567?

The github_workflows module has a vulnerability that allows local attackers to exploit the construction of local directory paths from user-controlled repository names. By failing to validate for symlinks, an attacker can create a symlink at a predictable output path. This can result in unauthorized data being written to a directory of the attacker's choosing, potentially compromising the integrity and confidentiality of workflow data.

Affected Version(s)

BBOT 2.0.0

References

https://github.com/blacklanternsecurity/bbot/commit/16d9c...

CVSS V3.1

Score:

2.2

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 17, 2026

CVE-2026-12567 Data

JSON