Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create and delete relationships between artifacts enforced no permissions checks beyond being able to see the artifacts in question.
AnalysisAI
Missing authorization controls on Debusine's artifact relationship endpoints allow remote actors to create and delete artifact relationships without holding the necessary write permissions, affecting all versions from 0.2.0 through 0.14.5. The only implicit gatekeeping was visibility of the referenced artifacts - not modification rights - a CWE-862 (Missing Authorization) flaw that exposes both data integrity and limited confidentiality of build artifact metadata. No public exploit code exists and EPSS places exploitation probability at 0.01% (3rd percentile), reflecting the tool's niche deployment scope within Debian build infrastructure; the vulnerability is not confirmed actively exploited (CISA KEV).
Technical ContextAI
Debusine is a Freexian-maintained, Debian-project-hosted solution for building, distributing, and maintaining Debian-based distributions; it organizes managed files into discrete units called artifacts, with defined relationships between them tracked via dedicated API endpoints. The affected product is identified by CPE cpe:2.3:a:debian:debusine:*:*:*:*:*:*:*:* spanning versions 0.2.0 through pre-0.14.6. The root cause is CWE-862 (Missing Authorization): the endpoints responsible for creating and deleting artifact-to-artifact relationships evaluated only whether the requesting entity could view the referenced artifacts, not whether they held write or administrative privileges over those artifacts or their relationship graph. This design gap decouples read access from modification capability, violating least-privilege principles in the authorization model. The upstream fix is traceable to commit 98104f46dc546a27a0326d5ef728ac7f426c430a in the Salsa repository, introduced via merge request 2836.
RemediationAI
Upgrade Debusine to version 0.14.6 or later, which incorporates the authorization fix introduced in commit 98104f46dc546a27a0326d5ef728ac7f426c430a (https://salsa.debian.org/freexian-team/debusine/-/commit/98104f46dc546a27a0326d5ef728ac7f426c430a) via merge request 2836 (https://salsa.debian.org/freexian-team/debusine/-/merge_requests/2836); the vendor patch is confirmed available per the issue at https://salsa.debian.org/freexian-team/debusine/-/work_items/1499. If immediate upgrade is not feasible, administrators should restrict network-level access to the artifact relationship creation and deletion API endpoints to only explicitly authorized internal clients or users - note this may disrupt legitimate automation workflows that depend on those endpoints. Prior to and following patching, auditing the artifact relationship graph for unauthorized additions or deletions is advisable to detect any tampering that may have occurred during the exposure window. No generic workaround short of endpoint restriction addresses the root authorization gap.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35998
GHSA-2wmq-wq3w-j93h