Description
Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a filesystem location writable by the Bugsink process. This vulnerability is fixed in 2.1.1.
Published: 2026-04-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file write
Action: Apply patch
AI Analysis

Impact

Bugsink, a self-hosted error tracking tool, contains an issue in the artifact bundle assembly process that allows an authenticated attacker to write arbitrary content to any file system location that the Bugsink process can write to. This flaw is due to insufficient validation of user input (CWE‑20). Consequently, a malicious user with a valid authentication token could overwrite configuration files, deploy malicious scripts, or otherwise alter the system, potentially compromising confidentiality, integrity, or availability.

Affected Systems

The vulnerability affects Bugsink version 2.1.0. All deployments running this version are at risk. The issue was fixed in Bugsink 2.1.1, so upgrades to that version or later eliminate the flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity risk. Because the flaw requires authentication, the attack vector is confined to legitimate users or compromised accounts; nevertheless, any token holder can exploit the vulnerability. EPSS data is unavailable, so the exploitation likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Organizations should treat this as a high‑risk flaw capable of enabling significant system damage if not remedied promptly.

Generated by OpenCVE AI on April 10, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bugsink to version 2.1.1 or newer to apply the vendor fix.
  • Restrict the use of authentication tokens to the minimum set of permissions required for users.
  • Verify file system permissions to ensure the Bugsink process can only write to intended directories.

Generated by OpenCVE AI on April 10, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8hw4-fhww-273g Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble
History

Wed, 15 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bugsink:bugsink:2.1.0:*:*:*:*:*:*:*

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Bugsink
Bugsink bugsink
Vendors & Products Bugsink
Bugsink bugsink

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a filesystem location writable by the Bugsink process. This vulnerability is fixed in 2.1.1.
Title Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Bugsink Bugsink
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T18:30:44.339Z

Reserved: 2026-04-09T19:31:56.014Z

Link: CVE-2026-40162

cve-icon Vulnrichment

Updated: 2026-04-10T18:30:40.731Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T18:16:46.083

Modified: 2026-04-15T19:05:54.373

Link: CVE-2026-40162

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:08Z

Weaknesses