CVE-2026-12568: Path Traversal and Arbitrary File Write in BBOT postman_download Module

Vulnerability ID: CVE-2026-12568
CVSS Score: 6.5
Published: 2026-06-18

CVE-2026-12568 is a path traversal vulnerability (CWE-22) in the postman_download module of BBOT (Babbage Border Obsession Tool) version 2.1.0 through 2.8.5. The vulnerability allows an attacker to perform arbitrary file writes on the local machine running the BBOT scan via a maliciously named remote Postman workspace.

TL;DR

A path traversal vulnerability in BBOT's postman_download module allows remote attackers to execute arbitrary file writes using crafted Postman workspace names.

Technical Details

• CWE ID: CWE-22
• Attack Vector: Network (AV:N)
• CVSS Score: 6.5
• EPSS Score: 0.00251 (Percentile: 16.15%)
• Impact: Arbitrary File Write
• Exploit Status: None
• KEV Status: Not Listed

Affected Systems

• BBOT (Babbage Border Obsession Tool)
• BBOT: >= 2.1.0, <= 2.8.5 (Fixed in: 2.8.6)

Code Analysis

Commit: 36bc208

Fix path traversal in postman_download module by implementing tagify and resolve checks

--- a/bbot/modules/postman_download.py
+++ b/bbot/modules/postman_download.py
@@ -57,15 +57,18 @@ async def handle_event(self, event):

     def save_workspace(self, workspace, environments, collections):
         zip_path = None
-        # Create a folder for the workspace
         name = workspace["name"]
         id = workspace["id"]
-        folder = self.output_dir / name
+        safe_name = self.helpers.tagify(name)
+        folder = self.output_dir / safe_name
+        if not folder.resolve().is_relative_to(self.output_dir.resolve()):
+            self.warning(f"Workspace name {name!r} resulted in path traversal, skipping")
+            return None
         self.helpers.mkdir(folder)
         zip_path = folder / f"{id}.zip"

         # Main Workspace
-        self.add_json_to_zip(zip_path, workspace, f"{name}.postman_workspace.json")
+        self.add_json_to_zip(zip_path, workspace, f"{safe_name}.postman_workspace.json")

         # Workspace Environments
         if environments:
@@ -77,7 +80,8 @@ def save_workspace(self, workspace, environments, collections):
             if collections:
                 for collection in collections:
                     collection_name = collection["info"]["name"]
-                    self.add_json_to_zip(zip_path, collection, f"{collection_name}.postman_collection.json")
+                    safe_collection_name = self.helpers.tagify(collection_name)
+                    self.add_json_to_zip(zip_path, collection, f"{safe_collection_name}.postman_collection.json")
         return zip_path

Mitigation Strategies

• Upgrade BBOT to a version newer than 2.8.5
• Apply path sanitization and canonical path validation checks to the postman_download module

Remediation Steps:

1. Identify installations running BBOT versions <= 2.8.5.
2. Execute pip install --upgrade bbot or update the dependency in your environment manager.
3. Verify the installation of version 2.8.6 or newer.
4. If updating is restricted, manually apply the path validation logic using pathlib's resolve() and is_relative_to() methods to the postman_download.py module.

References

• https://www.cve.org/CVERecord?id=CVE-2026-12568
• https://github.com/blacklanternsecurity/bbot/commit/36bc20818206a59f6d430e905248f85c439e5397
• https://api.first.org/data/v1/epss?cve=CVE-2026-12568
• https://attack.mitre.org/search/?search=CVE-2026-12568
• https://www.shodan.io/search?query=CVE-2026-12568

Read the full report for CVE-2026-12568 on our website for more details including interactive diagrams and full exploit analysis.