CVE-2026-12566 PUBLISHED

SSRF via unvalidated WWW-Authenticate realm in docker_pull module

Assigner: BLSOPS
Reserved: 17.06.2026 Published: 17.06.2026 Updated: 18.06.2026

The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication request to an arbitrary endpoint, potentially leaking authentication tokens.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score: 3.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Black Lantern Security
Product	BBOT
Versions	Default: unaffected affected from 2.0.0 to <=2.8.4 (incl.)

References

https://github.com/blacklanternsecurity/bbot/commit/c2f4bc0f4

Problem Types

CWE-918 Server-Side Request Forgery (SSRF) CWE