CVE-2026-12566 — BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authentic

Description

The `docker_pull` module uses the `realm` parameter from a Docker registry's `WWW-Authenticate` response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication request to an arbitrary endpoint, potentially leaking authentication tokens.

How to fix CVE-2026-12566

To remediate CVE-2026-12566, upgrade the affected package to a fixed version below.

—upgrade to 2.8.5 or later

Is CVE-2026-12566 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-12566.

Affected packages (1)

>= 2.0.0, < 2.8.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-12566
PATCHgithub.com/blacklanternsecurity/bbot
WEBgithub.com/blacklanternsecurity/bbot/commit/c2f4bc0f4
WEBgithub.com/blacklanternsecurity/bbot/security/advisories/GHSA-3mp7-vp6j-2mxx