PT-2026-59069 · Pypi · Bbot

Published

2026-07-13

·

Updated

2026-07-13

CVSS v3.1

3.1

Low

VectorAV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
The docker pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication request to an arbitrary endpoint, potentially leaking authentication tokens.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-2391

Affected Products

Bbot