EUVD-2026-31861
GHSA-vx2f-6m6h-9frf
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view another project’s event data through an issue they are allowed to access. The affected views include the stacktrace, details, and breadcrumbs pages for an issue event. This vulnerability is fixed in 2.2.0.
AnalysisAI
Cross-project event data exposure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read event data - including stacktraces, breadcrumbs, and raw event details - belonging to a separate, unauthorized project. The flaw (CWE-639) exists because issue event views accept a direct event UUID from the URL without verifying that the event belongs to the project in the same URL path. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) an authenticated session on the Bugsink instance (CVSS PR:L - unauthenticated access is not sufficient); (2) project membership in at least one project on that instance, providing a valid issue URL to use as the access vehicle; and (3) prior knowledge of a specific, valid event UUID from the target project - the GHSA advisory explicitly confirms there is no event enumeration path and that UUIDs are not practically guessable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.1 (Low) accurately captures the constrained attack surface: AV:N indicates network reachability, AC:H reflects the practical barrier of needing a known-valid target UUID (confirmed non-enumerable and non-guessable by the GHSA advisory), PR:L requires an authenticated session, and C:L scopes impact to partial confidentiality loss with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Bugsink user legitimately assigned to Project A acquires a valid event UUID from Project B - for example via a leaked log entry, a teammate's inadvertent disclosure, or insider access - then substitutes that UUID into an issue event URL scoped to an issue in Project A. The application resolves the event by UUID alone, bypasses the project-boundary check, and returns the target project's stacktrace or breadcrumb data to the unauthorized requester. … |
| Remediation | Upgrade Bugsink to version 2.2.0 or later; this is the vendor-released patch that resolves the issue by scoping direct event lookups to both the authorized issue and project. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today