Skip to main content

Debusine CVE-2026-11852

| EUVDEUVD-2026-35998 MEDIUM
Missing Authorization (CWE-862)
2026-06-10 debian GHSA-2wmq-wq3w-j93h
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 10, 2026 - 19:30 vuln.today
CVSS changed
Jun 10, 2026 - 19:22 NVD
6.5 (MEDIUM)
Patch available
Jun 10, 2026 - 11:01 EUVD
CVE Published
Jun 10, 2026 - 09:10 nvd
UNKNOWN (no severity yet)

DescriptionNVD

Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create and delete relationships between artifacts enforced no permissions checks beyond being able to see the artifacts in question.

AnalysisAI

Missing authorization controls on Debusine's artifact relationship endpoints allow remote actors to create and delete artifact relationships without holding the necessary write permissions, affecting all versions from 0.2.0 through 0.14.5. The only implicit gatekeeping was visibility of the referenced artifacts - not modification rights - a CWE-862 (Missing Authorization) flaw that exposes both data integrity and limited confidentiality of build artifact metadata. No public exploit code exists and EPSS places exploitation probability at 0.01% (3rd percentile), reflecting the tool's niche deployment scope within Debian build infrastructure; the vulnerability is not confirmed actively exploited (CISA KEV).

Technical ContextAI

Debusine is a Freexian-maintained, Debian-project-hosted solution for building, distributing, and maintaining Debian-based distributions; it organizes managed files into discrete units called artifacts, with defined relationships between them tracked via dedicated API endpoints. The affected product is identified by CPE cpe:2.3:a:debian:debusine:*:*:*:*:*:*:*:* spanning versions 0.2.0 through pre-0.14.6. The root cause is CWE-862 (Missing Authorization): the endpoints responsible for creating and deleting artifact-to-artifact relationships evaluated only whether the requesting entity could view the referenced artifacts, not whether they held write or administrative privileges over those artifacts or their relationship graph. This design gap decouples read access from modification capability, violating least-privilege principles in the authorization model. The upstream fix is traceable to commit 98104f46dc546a27a0326d5ef728ac7f426c430a in the Salsa repository, introduced via merge request 2836.

RemediationAI

Upgrade Debusine to version 0.14.6 or later, which incorporates the authorization fix introduced in commit 98104f46dc546a27a0326d5ef728ac7f426c430a (https://salsa.debian.org/freexian-team/debusine/-/commit/98104f46dc546a27a0326d5ef728ac7f426c430a) via merge request 2836 (https://salsa.debian.org/freexian-team/debusine/-/merge_requests/2836); the vendor patch is confirmed available per the issue at https://salsa.debian.org/freexian-team/debusine/-/work_items/1499. If immediate upgrade is not feasible, administrators should restrict network-level access to the artifact relationship creation and deletion API endpoints to only explicitly authorized internal clients or users - note this may disrupt legitimate automation workflows that depend on those endpoints. Prior to and following patching, auditing the artifact relationship graph for unauthorized additions or deletions is advisable to detect any tampering that may have occurred during the exposure window. No generic workaround short of endpoint restriction addresses the root authorization gap.

Share

CVE-2026-11852 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy