Description
Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project. This vulnerability is fixed in 2.2.0.
Published: 2026-05-26
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Bugsink allows a user who can view the issue list to issue bulk changes that are applied to any issue IDs supplied, regardless of whether those issues belong to the project specified in the URL. This lack of ownership validation permits an attacker to alter, close, or otherwise modify issues in projects whose UUIDs are known, leading to unauthorized data modification. The weakness is an authorization flaw identified as CWE‑639.

Affected Systems

All self‑hosted Bugsink installations running any version older than 2.2.0 are affected. The bug is located in the issue list view component that authorizes project‑level access but does not enforce project membership on the submitted bulk‑action payload.

Risk and Exploitability

The CVSS score of 3.1 indicates a low overall impact. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, there is no evidence of widespread exploitation. However, an attacker who knows a target project’s UUID and can authenticate to the Bugsink instance can exploit the flaw remotely via the web interface by sending a crafted bulk‑action request. The attack requires only legitimate access to the issue list view and knowledge of the target UUID, making it potentially valuable in environments where multiple projects coexist.

Generated by OpenCVE AI on May 26, 2026 at 18:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bugsink to version 2.2.0 or later to apply the vendor patch that validates project membership on bulk actions
  • If an upgrade is not immediately possible, restrict or disable the bulk‑action functionality for users without explicit project‑level permissions
  • Regularly audit issue change logs and monitor for anomalous bulk modifications to detect any exploitation attempts

Generated by OpenCVE AI on May 26, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g5vc-q7qc-v939 Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known
History

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Bugsink
Bugsink bugsink
Vendors & Products Bugsink
Bugsink bugsink

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project. This vulnerability is fixed in 2.2.0.
Title Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Bugsink Bugsink
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T13:45:33.896Z

Reserved: 2026-05-19T21:29:25.482Z

Link: CVE-2026-47716

cve-icon Vulnrichment

Updated: 2026-05-27T13:45:28.530Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T17:16:52.957

Modified: 2026-06-17T10:54:38.343

Link: CVE-2026-47716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T18:45:13Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key