CVE-2026-12568 — BBOT: Arbitrary File Write in postman_download Module

Description

The `postman_download` module uses the workspace `name` field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user's system.

How to fix CVE-2026-12568

To remediate CVE-2026-12568, upgrade the affected package to a fixed version below.

PyPI/bbot—upgrade to 2.8.6 or later

Is CVE-2026-12568 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-12568.

Affected packages (1)

>= 2.1.0, < 2.8.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-12568
PATCHgithub.com/blacklanternsecurity/bbot
WEBgithub.com/blacklanternsecurity/bbot/commit/36bc20818
WEBgithub.com/blacklanternsecurity/bbot/security/advisories/GHSA-m54h-vhf9-3w3m