CVE-2026-47715 Overview
CVE-2026-47715 is a project-boundary authorization vulnerability in Bugsink, a self-hosted error tracking tool. Versions prior to 2.2.0 allow authenticated users to view event data from projects they do not have access to. The issue event pages accept a direct event identifier from the URL without validating that the event belongs to the issue referenced in the URL. The vulnerability is classified under [CWE-639] (Authorization Bypass Through User-Controlled Key) and is fixed in version 2.2.0.
Critical Impact
A logged-in user with access to one project can view another project's event data, including stacktraces, event details, and breadcrumbs, by referencing event identifiers across project boundaries.
Affected Products
- Bugsink versions prior to 2.2.0
- Bugsink issue event views: stacktrace, details, and breadcrumbs pages
- Self-hosted Bugsink deployments with multiple projects
Discovery Timeline
- 2026-05-26 - CVE-2026-47715 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-47715
Vulnerability Analysis
The vulnerability resides in Bugsink's issue event views. These views retrieve event records by referencing a direct event identifier supplied in the URL. The lookup does not enforce that the event belongs to the issue referenced in the same URL path. As a result, the request-handling logic decouples the event from its parent issue and parent project during retrieval.
An authenticated user with legitimate access to one project can substitute event identifiers from a different project into URLs that resolve to issues they are permitted to view. The server returns the unrelated event's stacktrace, details, and breadcrumbs data. This violates the project boundary that should isolate tenant data within a shared Bugsink instance.
Error tracking data often contains sensitive material. Stacktraces can expose source paths, function names, environment variables, and request payloads. Breadcrumbs can include user actions, internal URLs, and contextual identifiers. Cross-project disclosure undermines the multi-project segmentation model.
Root Cause
The root cause is a missing authorization check that should link the event identifier to the issue and project context. Bugsink trusts the user-controlled event identifier in the URL without verifying its relationship to the surrounding object hierarchy. This pattern aligns with [CWE-639], where an attacker manipulates a key reference to access resources outside their authorization scope.
Attack Vector
The attack requires network access and a valid authenticated session with low privileges. An attacker enumerates or guesses event identifiers belonging to other projects. The attacker then issues requests to issue event view endpoints using those identifiers. The server returns the cross-project event content without rejecting the mismatched ownership.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-vx2f-6m6h-9frf. No exploit code is required beyond crafted URL requests to the affected views.
Detection Methods for CVE-2026-47715
Indicators of Compromise
- Authenticated requests to issue event endpoints where the event identifier does not match the project of the requesting user
- Sequential or enumerated event identifier patterns in access logs originating from a single user session
- Unusual access volume to stacktrace, details, or breadcrumbs views by users with access to only a small subset of projects
Detection Strategies
- Audit Bugsink application logs for requests where the URL-supplied event identifier resolves to a project the authenticated user is not a member of
- Correlate user-to-project membership records against event view access entries to surface boundary violations
- Review web server access logs for high-frequency requests to issue event subpaths from individual accounts
Monitoring Recommendations
- Enable verbose request logging on Bugsink to capture event identifiers and authenticated user identities
- Forward Bugsink logs to a centralized logging or SIEM platform for cross-project access correlation
- Alert on access patterns where a single account retrieves events spanning multiple projects within short time windows
How to Mitigate CVE-2026-47715
Immediate Actions Required
- Upgrade Bugsink to version 2.2.0 or later, which contains the fix for this authorization issue
- Review historical access logs for evidence of cross-project event retrieval prior to patching
- Rotate any secrets, tokens, or credentials that may have been exposed through stacktraces or breadcrumb data
Patch Information
The vulnerability is fixed in Bugsink 2.2.0. Release details are available in the GitHub Bugsink Release 2.2.0. The patched versions enforce that an event lookup requires the event to belong to the issue and project referenced in the request URL.
Workarounds
- Restrict Bugsink instance access to trusted users only until the upgrade is applied
- Limit user membership to the minimum set of projects required for each account to reduce exposure surface
- Place the Bugsink interface behind network controls that restrict access to authenticated, audited sessions
# Upgrade Bugsink to the patched release
pip install --upgrade bugsink==2.2.0
# Verify the installed version
bugsink --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

