CVE-2026-47716 Overview
CVE-2026-47716 is an authorization flaw in Bugsink, a self-hosted error tracking tool. The issue list view authorizes access through the project specified in the URL. However, it applies bulk actions to submitted issue IDs without verifying those issues belong to the authorized project. An authenticated user with access to one project can perform bulk actions on issues belonging to other projects. The vulnerability falls under [CWE-639] Authorization Bypass Through User-Controlled Key. Bugsink versions prior to 2.2.0 are affected, and the maintainers fixed the issue in version 2.2.0.
Critical Impact
Authenticated users can modify issues in projects they do not have permission to access by submitting cross-project issue IDs to the bulk action endpoint.
Affected Products
- Bugsink versions prior to 2.2.0
- Self-hosted Bugsink error tracking deployments
- Bugsink multi-project tenants
Discovery Timeline
- 2026-05-26 - CVE-2026-47716 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-47716
Vulnerability Analysis
The vulnerability is an Insecure Direct Object Reference (IDOR) in Bugsink's issue list view. The bulk action handler enforces authorization based on the project identifier embedded in the request URL. The handler then operates on a list of issue IDs supplied in the request body without re-validating that those issues belong to the authorized project. An attacker with legitimate access to any single project can craft a bulk action request that targets issue IDs from other projects.
The flaw is limited to operations exposed through the bulk action interface, such as resolving, muting, or deleting issues. Confidentiality is not directly affected because the endpoint does not return issue content. Integrity is impacted because the attacker can alter issue state across project boundaries.
Root Cause
The root cause is missing object-level authorization. The application correctly validates project access at the URL routing layer but fails to extend that check to each issue_id value submitted in the bulk payload. This pattern is a textbook [CWE-639] failure, where authorization decisions rely on a user-controlled key without scope validation.
Attack Vector
Exploitation requires network access to the Bugsink instance and a valid authenticated session with permissions on at least one project. The attacker enumerates or guesses issue IDs from other projects, then submits them to the bulk action endpoint of a project they control. The server applies the action without further authorization checks. The attack complexity is elevated because the attacker must know or discover valid issue IDs outside their assigned scope. No code example is published with this advisory. See the GitHub Security Advisory GHSA-g5vc-q7qc-v939 for additional technical context.
Detection Methods for CVE-2026-47716
Indicators of Compromise
- Unexpected state changes on issues such as bulk resolution, muting, or deletion that no project member initiated.
- Application logs showing bulk action requests where the project in the URL does not match the project of the affected issues.
- Audit trail entries that attribute cross-project issue modifications to users without permissions on the target project.
Detection Strategies
- Review Bugsink application logs for POST requests to issue bulk action endpoints and correlate the URL project with the project of each modified issue.
- Implement server-side instrumentation to flag bulk action payloads containing issue IDs that do not belong to the URL project.
- Compare historical issue state transitions against expected user permissions to identify retroactive evidence of exploitation.
Monitoring Recommendations
- Enable verbose request logging on the Bugsink reverse proxy or web server to capture full request payloads for bulk endpoints.
- Forward Bugsink application logs to a centralized logging platform and alert on anomalous bulk action volumes.
- Monitor user activity for accounts that perform bulk actions across an unusually large number of issues in short timeframes.
How to Mitigate CVE-2026-47716
Immediate Actions Required
- Upgrade all Bugsink instances to version 2.2.0 or later, which contains the official fix.
- Audit recent bulk action activity for unexpected state changes on issues across projects.
- Review user-to-project assignments and revoke access from accounts that no longer require it.
Patch Information
The vulnerability is fixed in Bugsink 2.2.0. Release notes and the patched code are documented in the Bugsink 2.2.0 Release Notes. The corresponding advisory is published as GHSA-g5vc-q7qc-v939. Administrators should apply this update across all production and staging deployments.
Workarounds
- Restrict Bugsink access to trusted internal users until the upgrade to 2.2.0 is complete.
- Limit the number of users with bulk action permissions to reduce the exposure surface.
- Place the Bugsink instance behind a web application firewall configured to inspect bulk action payloads.
# Upgrade Bugsink to the patched release
pip install --upgrade bugsink==2.2.0
# Or for Docker deployments
docker pull bugsink/bugsink:2.2.0
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

