Directory Traversal Vulnerability in BBOT's GitHub Workflows Module
CVE-2026-14967
3.1LOW
What is CVE-2026-14967?
The BBOT GitHub Workflows module is susceptible to a directory traversal vulnerability that allows for the writing of downloaded artifacts outside its specified output directory. Due to inadequate path containment checks, specifically the failure to resolve .., an attacker could craft a CODE_REPOSITORY URL that enables navigation beyond the intended directory structure. However, the write operation is constrained to two directory levels above the designated output location, and the final target path is determined by the operator's settings rather than the attacker's input.
Affected Version(s)
BBOT 1.1.7 <= 2.8.6
