Description
The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication request to an arbitrary endpoint, potentially leaking authentication tokens.
Published: 2026-06-17
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The docker_pull module incorrectly uses the realm value from a Docker registry’s WWW-Authenticate response header as the authentication endpoint without verifying it. An attacker positioned as a man‑in‑the‑middle between the BBOT tool and a registry can alter that header to point to any arbitrary URL, causing BBOT to redirect its authentication request. This can lead to the accidental transmission of authentication credentials to an attacker’s server, effectively leaking tokens. The vulnerability represents a server‑side request forgery (SSRF) scenario that compromises confidentiality of authentication data.

Affected Systems

The affected product is Black Lantern Security’s BBOT. No specific version information was provided by the CNA; therefore, any version of BBOT currently deployed may be vulnerable until a fix is applied.

Risk and Exploitability

The CVSS score of 3.1 indicates a low severity issue, and the EPSS score of less than 1% suggests that exploitation is unlikely under current conditions. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to control network traffic between BBOT and the registry, typically via a man‑in‑the‑middle attack. Because the impact is limited to possible token leakage and no privilege escalation or service interruption is described, the overall risk remains low, though it is significant if the leaked tokens provide privileged access to a registry or downstream services.

Generated by OpenCVE AI on June 18, 2026 at 18:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BBOT to the latest version once a vendor patch becomes available.
  • Configure network devices to prevent unauthorized the interception of traffic between BBOT and Docker registries.
  • Avoid using untrusted registries or enforce TLS verification to restrict modifications to authentication headers.

Generated by OpenCVE AI on June 18, 2026 at 18:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3mp7-vp6j-2mxx BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication request to an arbitrary endpoint, potentially leaking authentication tokens.
Title SSRF via unvalidated WWW-Authenticate realm in docker_pull module
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: BLSOPS

Published:

Updated: 2026-06-18T12:50:35.439Z

Reserved: 2026-06-17T21:45:54.435Z

Link: CVE-2026-12566

cve-icon Vulnrichment

Updated: 2026-06-18T12:50:31.999Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:15:02Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)