← back
CVE-2026-14967

Path traversal in github_workflows allows writing artifacts outside output directory

CVSS 3.1 LOWEPSS 0.2%CWE-22
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 3.1EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
08 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
BBOT's `github_workflows` module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve `..`, so a crafted `CODE_REPOSITORY` URL could traverse out of the intended folder. The write is bounded to two directory levels above the output location and its target is determined by the operator's configuration, not the attacker.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N