Directory Traversal Vulnerability in BBOT's GitHub Workflows Module
CVE-2026-14967

3.1LOW

Key Information:

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-14967?

The BBOT GitHub Workflows module is susceptible to a directory traversal vulnerability that allows for the writing of downloaded artifacts outside its specified output directory. Due to inadequate path containment checks, specifically the failure to resolve .., an attacker could craft a CODE_REPOSITORY URL that enables navigation beyond the intended directory structure. However, the write operation is constrained to two directory levels above the designated output location, and the final target path is determined by the operator's settings rather than the attacker's input.

Affected Version(s)

BBOT 1.1.7 <= 2.8.6

References

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.