Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47728

CVE-2026-47728: Bugsink Auth Bypass Vulnerability

CVE-2026-47728 is an authentication bypass flaw in Bugsink that allows users to access sourcemap metadata across projects via debug ID exploitation. This post covers technical details, affected versions, and mitigations.

Published:

CVE-2026-47728 Overview

CVE-2026-47728 affects Bugsink, a self-hosted error tracking tool. Versions prior to 2.2.0 resolve sourcemaps and debug files by debug ID without scoping the lookup to the project that owns the uploaded metadata. An authenticated user with access to one project can cause event processing in that project to consume sourcemap or debug-file metadata uploaded for another project on the same Bugsink instance when the same debug ID is referenced. The flaw is classified as missing authorization [CWE-862] and is fixed in Bugsink 2.2.0.

Critical Impact

Authenticated users can trigger cross-project use of sourcemap and debug-file metadata, leading to limited confidentiality exposure of artifacts uploaded to other projects in the same instance.

Affected Products

  • Bugsink self-hosted error tracking tool
  • Bugsink versions prior to 2.2.0
  • Multi-project Bugsink instances sharing a debug ID namespace

Discovery Timeline

  • 2026-05-26 - CVE-2026-47728 published to the National Vulnerability Database (NVD)
  • 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-47728

Vulnerability Analysis

Bugsink ingests crash and error events from instrumented applications, then symbolicates stack traces using sourcemaps and debug files uploaded by project maintainers. Each artifact is associated with a debug ID that uniquely identifies a build output. In versions before 2.2.0, the lookup that resolves a debug ID to an artifact queries the global metadata store without filtering by the requesting project. Any event processed under project A can therefore consume artifacts uploaded to project B when both reference the same debug ID. The result is unintended cross-tenant access to symbolication metadata in a multi-project deployment.

This is a missing authorization weakness [CWE-862] rather than a memory safety or injection issue. The integrity and availability of affected projects are not directly impacted, but artifact contents and any embedded source paths or symbol names can leak through resolved stack frames.

Root Cause

The root cause is the absence of a project scope in the database query that maps a debug ID to a sourcemap or debug-file record. Bugsink treats the debug ID as globally unique within an instance, even though uploads are owned by individual projects. The authorization check needed to enforce per-project isolation is not performed during artifact resolution.

Attack Vector

Exploitation requires an authenticated user with access to at least one project on a Bugsink instance that hosts multiple projects. The attacker uploads or sends an event referencing a debug ID that is also present in another project. During event processing, Bugsink resolves the debug ID against the global artifact set and applies the other project's sourcemap or debug file. The attacker observes the symbolicated output through the normal event view, indirectly revealing contents of the foreign artifact. No user interaction beyond the attacker's own session is required, and the attack is performed over the network against the Bugsink web interface or ingestion API.

No public exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. See the GitHub Security Advisory GHSA-5389-f7vh-wxj8 for additional technical context.

Detection Methods for CVE-2026-47728

Indicators of Compromise

  • Event symbolication results in a project referencing source paths, file names, or symbol identifiers that do not match any artifact uploaded to that project.
  • Repeated event submissions from a single user that reference debug IDs not previously associated with their project.
  • Audit logs showing artifact lookups by debug ID without a corresponding upload event in the same project.

Detection Strategies

  • Compare resolved sourcemap and debug-file identifiers in processed events against the list of artifacts uploaded to the owning project, and alert on mismatches.
  • Review database query patterns for artifact resolution and confirm that project scoping is applied after upgrading to 2.2.0.
  • Correlate authenticated user activity across projects to identify accounts probing for shared debug IDs.

Monitoring Recommendations

  • Enable verbose logging on the Bugsink event ingestion pipeline and retain logs covering artifact resolution decisions.
  • Monitor for unusual event volumes from low-privilege project accounts, especially those submitting events with externally supplied debug IDs.
  • Track upgrade status of Bugsink instances and flag any production deployments still running versions below 2.2.0.

How to Mitigate CVE-2026-47728

Immediate Actions Required

  • Upgrade all Bugsink installations to version 2.2.0 or later, where the artifact lookup is scoped to the owning project.
  • Inventory existing sourcemap and debug-file uploads and identify debug IDs shared across multiple projects on the same instance.
  • Review project membership and remove access for accounts that no longer require it, reducing the population able to exploit the issue.

Patch Information

The issue is fixed in Bugsink 2.2.0. Refer to the Bugsink 2.2.0 release notes and the GitHub Security Advisory GHSA-5389-f7vh-wxj8 for upgrade guidance and the underlying code change.

Workarounds

  • Operate single-project Bugsink instances until the upgrade is applied, eliminating the cross-project lookup condition.
  • Restrict authenticated access on shared instances to trusted users only while the patch is staged.
  • Rotate or regenerate build artifacts so that debug IDs are not reused across projects on the same instance.
bash
# Configuration example: pin Bugsink to the patched release in Docker Compose
services:
  bugsink:
    image: bugsink/bugsink:2.2.0
    restart: unless-stopped

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.