CVE-2026-47728
Debug ID Misuse in Bugsink Allows Sourcemap Access
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bugsink | bugsink | to 2.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Bugsink is a self-hosted error tracking tool that, before version 2.2.0, had a vulnerability related to how it resolved sourcemaps and debug files. Specifically, it looked up these files by debug ID without restricting the lookup to the project that originally uploaded the metadata. This meant that an authenticated user with access to one project could cause event processing in that project to use sourcemap or debug-file metadata from another project within the same Bugsink instance if both projects referenced the same debug ID.
This flaw could lead to unintended disclosure of source context or symbolication-derived context from another project on the same instance. The vulnerability affected both sourcemaps and debug files (when the experimental FEATURE_MINIDUMPS was enabled). It was limited in practice because self-hosted Bugsink instances typically operate within a single organization, and the hosted Bugsink service uses separate instances per tenant, preventing cross-tenant exploitation.
The issue was fixed in Bugsink version 2.2.0 by properly scoping sourcemap and debug-file lookups to the project that owns the uploaded metadata.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user with access to one project to access sourcemap or debug-file metadata from another project within the same Bugsink instance. This could lead to unintended disclosure of source code context or symbolication information from other projects.
Such disclosure might expose sensitive internal details about the software, potentially aiding attackers in understanding or exploiting the code. However, the impact is somewhat limited because the vulnerability requires authentication and is constrained to projects within the same self-hosted Bugsink instance.
The vulnerability has a moderate severity rating with a CVSS score of 4.3, reflecting factors such as network attack vector, low attack complexity, and low privileges required.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves sourcemap and debug-file lookups not being properly scoped to the project that owns the uploaded metadata in Bugsink versions before 2.2.0.
To detect if your Bugsink instance is affected, you should check if you are running a version prior to 2.2.0 and if there is sourcemap or debug-file metadata uploaded without proper project scoping.
A command is provided to remove legacy projectless sourcemap metadata, which can help identify and clean up improperly scoped metadata.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Bugsink version 2.2.0. The immediate step is to upgrade your Bugsink instance to version 2.2.0 or later.
After upgrading, upload sourcemaps and debug files with proper project information to ensure metadata is correctly scoped.
Additionally, use the provided command to remove legacy projectless sourcemap metadata to prevent cross-project metadata usage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could lead to unauthorized disclosure of source context or symbolication-derived context from one project to another within the same Bugsink instance. Since Bugsink is often self-hosted within a single organization, this could potentially expose sensitive debugging information across projects.
Such unauthorized data exposure may impact compliance with data protection regulations like GDPR or HIPAA if the exposed information includes personal data or sensitive health information, as these standards require strict controls on data access and confidentiality.
However, the vulnerability is limited by Bugsinkβs deployment model and does not cross tenant boundaries in hosted environments, reducing the risk of broader data leakage.
The issue has been fixed in version 2.2.0 by properly scoping sourcemap and debug-file metadata to their respective projects, and users are advised to upgrade and clean legacy unscoped metadata to mitigate compliance risks.