CVE-2026-47728 - Vulnerability Details

- Bugsink: Project scoping missing in sourcemap and debug-file lookup

Description

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0.

Published: 2026-05-26

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Bugsink’s sourcemap and debug-file resolution was performed without scoping the lookup to the project that uploaded the metadata. An authenticated user who can view events in one project could trigger the processing of an event that references a debug ID that also exists for another project. The lookup would then use the debug metadata from that other project, potentially exposing internal source code or debugging information that the original project owner did not intend to share. This flaw maps to CWE‑862: Privilege Bypass Through User-Controlled Key.

Affected Systems

The vulnerability affects all Bugsink installations running a version prior to 2.2.0. Any Bugsink instance that hosts multiple projects and allows users to upload sourcemaps or debug files is vulnerable unless the offending version is upgraded.

Risk and Exploitability

With a CVSS score of 4.3 the risk is medium. The EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog, indicating no known widespread exploitation so far. Exploitation requires an authenticated session with permissions on at least one project and the presence of a duplicate debug ID in another project. The attack is local to the application and does not involve remote code execution or broad privilege escalation. The most likely attack vector is an authenticated user integrating malicious or sensitive debug metadata from another project into event processing.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bugsink

affected

Version	Status	Constraints
`< 2.2.0`	affected	—

No data.

Vendor Product Confidence Versions

Bugsink

100%

Version	Status	Scheme	Platform
`[0,2.2.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Bugsink to version 2.2.0 or later, where the project scoping issue is fixed.
If an immediate upgrade is not possible, enforce unique debug IDs per project or restrict access to debug files so that users cannot upload or reuse IDs that may conflict with other projects.
Review and tighten project‑level permissions to limit which authenticated users can view events and upload sourcemaps, reducing the window of opportunity for this flaw to be abused.

Generated by OpenCVE AI on May 26, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-5389-f7vh-wxj8	Bugsink: Project scoping missing in sourcemap and debug-file lookup

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00168.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/bugsink/bugsink/releases/tag/2.2.0
https://github.com/bugsink/bugsink/security/advisories/GHSA-5389-f7vh-wxj8

History

Tue, 26 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bugsink Bugsink bugsink
Vendors & Products		Bugsink Bugsink bugsink

Tue, 26 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 26 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0.
Title		Bugsink: Project scoping missing in sourcemap and debug-file lookup
Weaknesses		CWE-862
References		https://github.com/bugsink/bugsink/releases/tag/2.2.0 https://github.com/bugsink/bugsink/security/advisories/GHSA-5389-f7vh-wxj8
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Bugsink Bugsink

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-26T16:16:10.858Z

Updated: 2026-05-26T17:31:41.956Z

Reserved: 2026-05-19T21:29:25.483Z

Link: CVE-2026-47728

Vulnrichment

Updated: 2026-05-26T17:31:26.693Z

NVD

Status : Deferred

Published: 2026-05-26T17:16:53.107

Modified: 2026-05-26T19:37:00.120

Link: CVE-2026-47728

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T18:45:13Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object