Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47715

CVE-2026-47715: Bugsink Auth Bypass Vulnerability

CVE-2026-47715 is an authorization bypass flaw in Bugsink that allows logged-in users to access event data from other projects. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-47715 Overview

CVE-2026-47715 is a project-boundary authorization vulnerability in Bugsink, a self-hosted error tracking tool. Versions prior to 2.2.0 allow authenticated users to view event data from projects they do not have access to. The issue event pages accept a direct event identifier from the URL without validating that the event belongs to the issue referenced in the URL. The vulnerability is classified under [CWE-639] (Authorization Bypass Through User-Controlled Key) and is fixed in version 2.2.0.

Critical Impact

A logged-in user with access to one project can view another project's event data, including stacktraces, event details, and breadcrumbs, by referencing event identifiers across project boundaries.

Affected Products

  • Bugsink versions prior to 2.2.0
  • Bugsink issue event views: stacktrace, details, and breadcrumbs pages
  • Self-hosted Bugsink deployments with multiple projects

Discovery Timeline

  • 2026-05-26 - CVE-2026-47715 published to NVD
  • 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-47715

Vulnerability Analysis

The vulnerability resides in Bugsink's issue event views. These views retrieve event records by referencing a direct event identifier supplied in the URL. The lookup does not enforce that the event belongs to the issue referenced in the same URL path. As a result, the request-handling logic decouples the event from its parent issue and parent project during retrieval.

An authenticated user with legitimate access to one project can substitute event identifiers from a different project into URLs that resolve to issues they are permitted to view. The server returns the unrelated event's stacktrace, details, and breadcrumbs data. This violates the project boundary that should isolate tenant data within a shared Bugsink instance.

Error tracking data often contains sensitive material. Stacktraces can expose source paths, function names, environment variables, and request payloads. Breadcrumbs can include user actions, internal URLs, and contextual identifiers. Cross-project disclosure undermines the multi-project segmentation model.

Root Cause

The root cause is a missing authorization check that should link the event identifier to the issue and project context. Bugsink trusts the user-controlled event identifier in the URL without verifying its relationship to the surrounding object hierarchy. This pattern aligns with [CWE-639], where an attacker manipulates a key reference to access resources outside their authorization scope.

Attack Vector

The attack requires network access and a valid authenticated session with low privileges. An attacker enumerates or guesses event identifiers belonging to other projects. The attacker then issues requests to issue event view endpoints using those identifiers. The server returns the cross-project event content without rejecting the mismatched ownership.

The vulnerability mechanism is described in the GitHub Security Advisory GHSA-vx2f-6m6h-9frf. No exploit code is required beyond crafted URL requests to the affected views.

Detection Methods for CVE-2026-47715

Indicators of Compromise

  • Authenticated requests to issue event endpoints where the event identifier does not match the project of the requesting user
  • Sequential or enumerated event identifier patterns in access logs originating from a single user session
  • Unusual access volume to stacktrace, details, or breadcrumbs views by users with access to only a small subset of projects

Detection Strategies

  • Audit Bugsink application logs for requests where the URL-supplied event identifier resolves to a project the authenticated user is not a member of
  • Correlate user-to-project membership records against event view access entries to surface boundary violations
  • Review web server access logs for high-frequency requests to issue event subpaths from individual accounts

Monitoring Recommendations

  • Enable verbose request logging on Bugsink to capture event identifiers and authenticated user identities
  • Forward Bugsink logs to a centralized logging or SIEM platform for cross-project access correlation
  • Alert on access patterns where a single account retrieves events spanning multiple projects within short time windows

How to Mitigate CVE-2026-47715

Immediate Actions Required

  • Upgrade Bugsink to version 2.2.0 or later, which contains the fix for this authorization issue
  • Review historical access logs for evidence of cross-project event retrieval prior to patching
  • Rotate any secrets, tokens, or credentials that may have been exposed through stacktraces or breadcrumb data

Patch Information

The vulnerability is fixed in Bugsink 2.2.0. Release details are available in the GitHub Bugsink Release 2.2.0. The patched versions enforce that an event lookup requires the event to belong to the issue and project referenced in the request URL.

Workarounds

  • Restrict Bugsink instance access to trusted users only until the upgrade is applied
  • Limit user membership to the minimum set of projects required for each account to reduce exposure surface
  • Place the Bugsink interface behind network controls that restrict access to authenticated, audited sessions
bash
# Upgrade Bugsink to the patched release
pip install --upgrade bugsink==2.2.0

# Verify the installed version
bugsink --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.