Skip to main content

Bugsink CVE-2026-47716

| EUVD-2026-31862 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-26 GitHub_M GHSA-g5vc-q7qc-v939
Authentication Bypass Bugsink
3.1
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 13:41 vuln.today
Analysis Generated
Jun 08, 2026 - 13:41 vuln.today
Patch available
May 26, 2026 - 18:02 EUVD

DescriptionGitHub Advisory

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project. This vulnerability is fixed in 2.2.0.

AnalysisAI

Cross-project issue state modification in Bugsink prior to 2.2.0 allows authenticated users with access to one project to alter the state of issues belonging to other projects if a valid target issue UUID is known. The bulk action endpoint authorizes based on the project in the URL but applies submitted issue IDs without verifying project membership, creating a project-boundary authorization bypass. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Bugsink instance
Delivery
Acquire valid issue UUID from a separate project (shared link or prior access)
Exploit
Craft bulk action request with foreign issue UUID
Execution
Submit request through authorized project endpoint
Persist
Backend applies state change without project-scope validation
Impact
Target issue state modified in unauthorized project
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be an authenticated Bugsink user (CVSS PR:L) with at least member-level access to any project on the target instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low and consistent across all available signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Bugsink user with legitimate membership in Project A obtains the UUID of an issue in Project B - for example, from a previously shared link, a notification, or prior elevated access. The attacker submits a bulk resolve or mute request through the Project A issue list interface, supplying the Project B issue UUID in the payload. …
Remediation Upgrade to Bugsink 2.2.0 or later, which scopes bulk issue actions and event lookups to the authorized project, eliminating the boundary bypass. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47716 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy