PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12567 Black Lantern Security CVE debrief

CVE-2026-12567 is a LOW severity vulnerability in the github_workflows module of Black Lantern Security's BBOT. The module constructs local directory paths from user-controlled repository names without validating for symlinks, allowing a local attacker to plant a symlink at the predictable output path and write workflow data to an attacker-chosen location. This vulnerability has a CVSS score of 2.2 and is classified as LOW severity. The attack surface is limited, but users of BBOT, especially those with shared scan directories, should be aware of this vulnerability and take steps to mitigate it.

Vendor
Black Lantern Security
Product
BBOT
CVSS
LOW 2.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-22
Advisory published
2026-06-17
Advisory updated
2026-06-22

Who should care

Users of Black Lantern Security's BBOT, especially those with shared scan directories, should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and validating symlink handling in the github_workflows module, implementing proper validation for user-controlled repository names, restricting write access to workflow data directories, and monitoring for suspicious symlink creation. BBOT operators and security teams should prioritize this vulnerability due to its potential impact on workflow data integrity and the ease of exploitation by local attackers.

Technical summary

The github_workflows module in BBOT constructs local directory paths from user-controlled repository names without proper symlink validation. This allows a local attacker sharing the scan directory to plant a symlink at the predictable output path. Consequently, workflow data can be written to an attacker-chosen location. The vulnerability has a CVSS score of 2.2 and is classified as LOW severity. The exploitation requires local access to the scan directory and user-controlled repository names.

Defensive priority

Defensive priority should be medium to low due to the LOW severity score and limited attack surface. However, BBOT users with shared scan directories should prioritize mitigation efforts to prevent potential data integrity issues.

Recommended defensive actions

  • Review and validate symlink handling in github_workflows module
  • Implement proper validation for user-controlled repository names
  • Restrict write access to workflow data directories
  • Monitor for suspicious symlink creation in shared scan directories
  • Apply vendor remediation when available
  • Conduct a thorough review of BBOT configurations and github_workflows module usage
  • Verify the integrity of workflow data and scan directories for potential exploitation signs

Evidence notes

Evidence is limited but indicates a genuine vulnerability exists in the github_workflows module of Black Lantern Security's BBOT. Further review of the module and BBOT configuration is necessary to fully understand the impact and verify affected scope. Defenders should review the official CVE record and NVD details for CVE-2026-12567, focusing on the LOW severity score and limited attack surface. The vulnerability allows a local attacker to plant a symlink at a predictable output path, causing workflow data to be written to an attacker-chosen location. This can occur when a local attacker shares the scan directory and exploits the lack of symlink validation in user-controlled repository names.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T23:17:03.220Z and has not been modified since then. The NVD entry is currently Deferred.