DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-12567: CVE-2026-12567: Symlink Following Vulnerability in BBOT github_workflows Module

#security #cve #cybersecurity

CVE-2026-12567: Symlink Following Vulnerability in BBOT github_workflows Module

Vulnerability ID: CVE-2026-12567
CVSS Score: 2.2
Published: 2026-06-18

The github_workflows module in BBOT (Black Lantern Security OSINT framework) versions 2.0.0 through 2.8.4 constructs local directory paths from user-controlled repository and owner names without validating for symbolic links. A local attacker sharing the scan directory can pre-plant a symlink at the predictable output path, forcing BBOT to write downloaded workflow artifacts or run logs to an arbitrary location on the filesystem.

TL;DR

A local symlink-following vulnerability in BBOT's github_workflows module allows an attacker sharing the scan directory to overwrite arbitrary local files when a victim scans a targeted repository.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-59
  • Attack Vector: Local
  • CVSS v3.1 Score: 2.2
  • EPSS Score: 0.0009 (Percentile: 0.60%)
  • Impact: Low Integrity Impact (Unsanitized local file write)
  • Exploit Status: Proof of Concept (PoC) available in official test suite
  • KEV Status: Not listed in CISA KEV

Affected Systems

  • BBOT installations running on multi-user or shared filesystem configurations
  • BBOT: >= 2.0.0, <= 2.8.4 (Fixed in: 2.8.5)

Code Analysis

Commit: 16d9c42

Reject symlinks in github_workflows output path before mkdir

def _check_output_path(self, folder):
    try:
        rel = folder.relative_to(self.output_dir)
    except ValueError:
        return False
    current = self.output_dir
    for part in rel.parts:
        current = current / part
        if current.is_symlink():
            self.warning(f"Refusing to write through symlink: {current}")
            return False
    return True
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Integration test validating symlink path rejection at repo and owner levels.

Mitigation Strategies

  • Upgrade BBOT to version 2.8.5 or later to apply the path-validation logic.
  • Enforce operating system-level link protections to block unauthorized link resolution.
  • Use unique, restricted output directories rather than shared folders like /tmp.

Remediation Steps:

  1. Identify the current BBOT installation version: bbot --version
  2. Upgrade the installation using pip: pip install --upgrade bbot
  3. Configure your system's sysctl configuration to enforce symlink and hardlink security protections.
  4. Verify that bbot scan output configurations point to user-specific directories with permissions restricted to 0700.

References

Read the full report for CVE-2026-12567 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)