CVE-2026-47716
Unauthorized Bulk Actions in Bugsink Prior to 2.2.0
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bugsink | bugsink | to 2.2.0 (exc) |
| bugsink | bugsink | to 2.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Bugsink allows a project member with knowledge of issue UUIDs from another project to perform bulk actions on issues outside their authorized project. This authorization bypass could lead to unauthorized modification of data across projects.
While the vulnerability involves unauthorized access and modification risks, it is considered low severity due to high attack complexity, required privileges, and the typical self-hosted, single trust domain deployment of Bugsink.
However, unauthorized access or modification of data could potentially impact compliance with data protection regulations such as GDPR or HIPAA, which require strict access controls and data integrity safeguards.
Organizations using affected versions of Bugsink should upgrade to version 2.2.0 to mitigate this risk and maintain compliance with relevant standards by ensuring proper authorization enforcement.
Can you explain this vulnerability to me?
CVE-2026-47716 is a vulnerability in the Bugsink self-hosted error tracking tool versions prior to 2.2.0. The issue arises because the system authorizes access to issue list views based on the project specified in the URL, but when performing bulk actions on issues, it does not verify that those issues actually belong to the authorized project. This means a user with knowledge of issue UUIDs from another project can perform bulk actions on those issues without proper authorization.
Additionally, debug-file metadata such as sourcemaps and minidumps were not properly scoped to projects, allowing events in one project to use debug metadata from another project.
The vulnerability is fixed in version 2.2.0 by enforcing that bulk actions and event lookups only affect issues/events belonging to the authorized project and by properly scoping debug-file metadata.
How can this vulnerability impact me? :
This vulnerability can allow a project member to perform unauthorized bulk actions (such as resolving or muting issues) on issues belonging to other projects if they know the UUIDs of those issues. This could lead to unintended modification or suppression of issues outside their authorized scope.
Because debug metadata was not properly scoped, events in one project could incorrectly use debug information from another project, potentially causing confusion or incorrect debugging data.
However, the impact is limited by the fact that an attacker needs prior knowledge of valid issue UUIDs, which are difficult to guess, and Bugsink is often self-hosted within a trusted environment, reducing the risk of cross-project attacks.
The CVSS score of 3.1 reflects a low severity due to the high attack complexity, required privileges, and no user interaction needed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized bulk actions on issues across projects when an attacker knows issue UUIDs from other projects. Detection would involve monitoring for bulk actions that affect issues outside the authorized project scope.
Since the vulnerability is related to misuse of issue UUIDs in bulk actions, you can audit logs or database records for bulk actions where the issue IDs do not belong to the project specified in the URL or user context.
No specific commands are provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Bugsink to version 2.2.0 or later, where this vulnerability has been fixed by enforcing that bulk actions only affect issues within the authorized project.
Additionally, users are advised to upgrade sourcemap uploads to include project slugs and remove legacy unscoped sourcemaps by running the specific cleanup command provided in the release notes.
Until the upgrade is applied, restrict access to the Bugsink instance to trusted users only, as the vulnerability requires knowledge of valid issue UUIDs and some privileges.