BBOT: Symlink-Following Arbitrary Write via github_workflows Module
Low severity
GitHub Reviewed
Published
Jun 17, 2026
in
blacklanternsecurity/bbot
•
Updated Jun 18, 2026
Description
Published by the National Vulnerability Database
Jun 17, 2026
Published to the GitHub Advisory Database
Jun 18, 2026
Reviewed
Jun 18, 2026
Last updated
Jun 18, 2026
The
github_workflowsmodule constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location.References