Skip to main content

Bugsink EUVD-2026-31860

| CVE-2026-47728 MEDIUM
Missing Authorization (CWE-862)
2026-05-26 GitHub_M GHSA-5389-f7vh-wxj8
Authentication Bypass Bugsink
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 12:50 vuln.today
Analysis Generated
Jun 08, 2026 - 12:50 vuln.today
Patch available
May 26, 2026 - 18:02 EUVD

DescriptionGitHub Advisory

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0.

AnalysisAI

Cross-project sourcemap and debug-file disclosure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read source context or symbolication-derived data belonging to a separate project on the same instance. The root cause is a missing authorization scope check (CWE-862): debug IDs supplied by clients were resolved globally rather than constrained to the owning project, meaning a deliberate or accidental debug ID collision across projects leaks file metadata. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Bugsink as low-privilege project member
Delivery
Identify or guess debug ID from target project's uploaded sourcemaps
Exploit
Submit crafted error event referencing cross-project debug ID
Execution
Global debug-ID resolver returns target project's sourcemap metadata
Persist
Event symbolication embeds source context from other project
Impact
Attacker reads disclosed source code snippets in processed event view
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with at least low-privilege project membership (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The aggregate risk picture is low-to-moderate and consistently confirmed across multiple signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user who is a member of Project A on a shared Bugsink instance crafts or submits an error event that references a debug ID known (or guessed) to match a sourcemap previously uploaded for the confidential Project B. During event processing, Bugsink's global debug-ID resolution returns Project B's sourcemap, embedding source file context - potentially proprietary source code snippets - into the processed event visible to the Project A member. …
Remediation Upgrade Bugsink to version 2.2.0 or later, available via PyPI ('pip install --upgrade bugsink') and documented at https://github.com/bugsink/bugsink/releases/tag/2.2.0. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-31860 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy