CVE-2026-44502 - Vulnerability Details

- Bugsink: SSRF bypass in `validate_webhook_url`

Description

Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For malformed inputs involving backslashes and @, those components can disagree about where the authority ends and which hostname is the real target. A URL may therefore appear to target an allowlisted public hostname during validation, while the HTTP client actually connects to a different host. This vulnerability is fixed in 2.1.3.

Published: 2026-05-26

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Bugsink’s webhook validation could be bypassed because of a mismatch between Python’s urllib.parse.urlparse and the requests.post behavior. A crafted URL with backslashes and an @ character can cause the validation step to think the target is an allowlisted public host while the actual HTTP request reaches a different host. This enables an attacker to force Bugsink to issue internal or otherwise forbidden requests, proving a server‑side request forgery flaw (CWE-918).

Affected Systems

All Bugsink self‑hosted error tracking installations prior to release 2.1.3 are vulnerable. The affected product is Bugsink, and any deployment using version 2.1.2 or earlier can be impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. No EPSS data is available and the vulnerability is not listed in CISA KEV, suggesting limited publicly documented exploitation. However, the flaw can be triggered by any user who can create or modify a webhook URL for their Bugsink instance. Based on the description, it is inferred that the attack vector is internally controlled input, and the impacted area is Bugsink’s outbound HTTP client. Once exploited, the attacker can make Bugsink reach arbitrary hosts or services.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bugsink

affected

Version	Status	Constraints
`< 2.1.3`	affected	—

No data.

Vendor Product Confidence Versions

Bugsink

100%

Version	Status	Scheme	Platform
`[0,2.1.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Bugsink to version 2.1.3 or later
Validate incoming webhook URLs to ensure they do not contain backslashes or @ characters before acceptance
Restrict outbound traffic from the Bugsink host to only necessary destinations or isolate it behind a firewall

Generated by OpenCVE AI on May 26, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-fp53-qcf8-2xx2	Bunsink has an SSRF bypass in `validate_webhook_url`

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00286.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/bugsink/bugsink/commit/940d2df635e06803ef658666d734306942db5cc7
https://github.com/bugsink/bugsink/releases/tag/2.1.3
https://github.com/bugsink/bugsink/security/advisories/GHSA-fp53-qcf8-2xx2

History

Wed, 27 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 26 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bugsink Bugsink bugsink
Vendors & Products		Bugsink Bugsink bugsink

Tue, 26 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For malformed inputs involving backslashes and @, those components can disagree about where the authority ends and which hostname is the real target. A URL may therefore appear to target an allowlisted public hostname during validation, while the HTTP client actually connects to a different host. This vulnerability is fixed in 2.1.3.
Title		Bugsink: SSRF bypass in `validate_webhook_url`
Weaknesses		CWE-918
References		https://github.com/bugsink/bugsink/commit/940d2df635e06803ef658666d734306942db5cc7 https://github.com/bugsink/bugsink/releases/tag/2.1.3 https://github.com/bugsink/bugsink/security/advisories/GHSA-fp53-qcf8-2xx2
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Bugsink Bugsink

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-26T16:13:32.350Z

Updated: 2026-05-27T17:21:38.121Z

Reserved: 2026-05-06T18:28:20.886Z

Link: CVE-2026-44502

Vulnrichment

Updated: 2026-05-27T17:21:34.554Z

NVD

Status : Deferred

Published: 2026-05-26T17:16:46.387

Modified: 2026-05-26T19:37:00.120

Link: CVE-2026-44502

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T19:45:06Z

Weaknesses

CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object