Description
The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user's system.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The postman_download module builds the local output directory from the workspace name returned by the Postman API. Because the name is used without any sanitization, a malicious workspace can contain path‑traversal characters. When pathlib resolves the path, it can point outside the intended directory, allowing the tool to create or overwrite files wherever it has write permission. This flaw permits an attacker who can create or modify a workspace to write arbitrary files to the system that runs BBOT, potentially compromising confidentiality, integrity, and availability of the affected machine.

Affected Systems

Black Lantern Security BBOT. No specific version information is provided, so any install that uses the postman_download module without input validation may be affected.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, while the EPSS score of less than 1% shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker who controls a Postman workspace sent to the vulnerable BBOT instance; the victim must run the tool against that workspace. Attackers with API access to a user’s Postman account are the most likely perpetrators, and the impact rises sharply if the vulnerable process runs with elevated privileges or on a shared filesystem.

Generated by OpenCVE AI on June 18, 2026 at 18:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BBOT to the latest commit that sanitizes workspace names and removes path traversal handling errors.
  • Run BBOT in a restricted or sandboxed environment if an immediate upgrade is unavailable.
  • Manually review or reject workspace names containing ‘..’, slashes, or other path separators before processing.

Generated by OpenCVE AI on June 18, 2026 at 18:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m54h-vhf9-3w3m BBOT: Arbitrary File Write in postman_download Module
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user's system.
Title Arbitrary File Write in postman_download module
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: BLSOPS

Published:

Updated: 2026-06-18T12:48:02.115Z

Reserved: 2026-06-17T21:51:43.456Z

Link: CVE-2026-12568

cve-icon Vulnrichment

Updated: 2026-06-18T12:47:58.375Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:15:02Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')