Description
Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view another project’s event data through an issue they are allowed to access. The affected views include the stacktrace, details, and breadcrumbs pages for an issue event. This vulnerability is fixed in 2.2.0.
Published: 2026-05-26
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bugsink, a self‑hosted error tracking platform, contains a project‑boundary authorization flaw in versions earlier than 2.2.0. The issue event pages accept a direct event identifier supplied via the URL and retrieve that event without confirming that the event belongs to the issue referenced. Consequently, a user who can access any project can view detailed information—stacktrace, details, and breadcrumbs—about events that belong to other projects if they know the UUID. This flaw is a classic authorization bypass (CWE‑639) and results in confidential error‑tracking data being exposed to unauthorized users.

Affected Systems

The vulnerability affects Bugsink installations running any version before 2.2.0; all released versions up to 2.1.x are susceptible.

Risk and Exploitability

The CVSS score of 3.1 indicates low overall severity, and the vulnerability is not listed in CISA KEV. No EPSS score is available, suggesting limited evidence of public exploitation. The likely attack vector requires a legitimate authenticated session within Bugsink and knowledge of a cross‑project event UUID, which can be obtained from logs or telemetry. While an attacker can see sensitive stack traces, the flaw does not grant command execution, privileged account creation, or other systemic damage; it is confined to leaking event data that may contain proprietary code or debugging information.

Generated by OpenCVE AI on May 26, 2026 at 18:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bugsink to version 2.2.0 or later to apply the vendor‑provided fix.
  • Ensure that only users with explicit project ownership or correct ACL settings have access to the event tables, and audit permissions for all projects.
  • Review application logs for unauthorized event accesses and consider disabling direct UUID lookup in the URL if the feature is not required.

Generated by OpenCVE AI on May 26, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vx2f-6m6h-9frf Bugsink: Issue event views can show an event from another project if its UUID is known
History

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Bugsink
Bugsink bugsink
Vendors & Products Bugsink
Bugsink bugsink

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view another project’s event data through an issue they are allowed to access. The affected views include the stacktrace, details, and breadcrumbs pages for an issue event. This vulnerability is fixed in 2.2.0.
Title Bugsink: Issue event views can show an event from another project if its UUID is known
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Bugsink Bugsink
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T13:59:29.137Z

Reserved: 2026-05-19T21:29:25.482Z

Link: CVE-2026-47715

cve-icon Vulnrichment

Updated: 2026-05-28T13:59:25.801Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T17:16:52.803

Modified: 2026-05-26T19:37:00.120

Link: CVE-2026-47715

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T18:45:13Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key