Description
Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create and delete relationships between artifacts enforced no permissions checks beyond being able to see the artifacts in question.
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from Debusine's artifact relationship endpoints lacking proper permission checks. Any user who can view artifacts can also create or delete relationships. This enables an attacker to manipulate the build pipeline, potentially insert malicious artifacts or break distribution integrity, compromising both confidentiality and availability of the Debian‑based distribution.

Affected Systems

Debusine, the Debian‑based distribution management tool. The issue applies to all versions that implement artifact relationship endpoints before the patch referenced in the Debian commit 98104f46dc546a27a0326d5ef728ac7f426c430a.

Risk and Exploitability

The CVSS score is not provided, and EPSS is unavailable, so the exact exploitation likelihood is unclear. However, because any actor who can view artifacts can manipulate relationships, the risk is moderate to high until mitigated. No KEV listing indicates no known exploited cases to date. The attack requires only discovery of artifact visibility; once that is achieved, the relationship endpoints can be abused.

Generated by OpenCVE AI on June 10, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Debusine to the latest release or apply the corrective patch from the Debian commit referenced.
  • Restrict access to the artifact relationship endpoints, implementing strict permission checks so that only privileged users can create or delete relationships.
  • Continuously monitor and audit artifact relationship changes to detect and respond to unauthorized activity.

Generated by OpenCVE AI on June 10, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian debusine
Vendors & Products Debian
Debian debusine

Wed, 10 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Artifact Relationship Modification in Debusine
Weaknesses CWE-284

Wed, 10 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create and delete relationships between artifacts enforced no permissions checks beyond being able to see the artifacts in question.
References

Subscriptions

Debian Debusine
cve-icon MITRE

Status: PUBLISHED

Assigner: debian

Published:

Updated: 2026-06-10T09:12:30.625Z

Reserved: 2026-06-10T08:25:35.480Z

Link: CVE-2026-11852

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T10:16:31.350

Modified: 2026-06-10T10:16:31.350

Link: CVE-2026-11852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:21:07Z

Weaknesses