CVE-2026-44502 bugsink CVE debrief

Who should care

Organizations running self-hosted Bugsink instances for error tracking, particularly those with webhook integrations configured. Security teams concerned with SSRF vulnerabilities in Python applications using URL validation. Developers implementing URL allowlist mechanisms in Python should review their parsing consistency between validation and request libraries.

Technical summary

The vulnerability exists in Bugsink's webhook functionality where URL validation and HTTP transmission use different parsing implementations. Python's urllib.parse.urlparse interprets malformed URLs differently than the requests library when backslashes and @ characters are present. This parser differential allows a URL to pass hostname allowlist validation while causing the HTTP client to connect to an attacker-specified host. The attack requires authenticated access to configure webhooks and can result in unauthorized outbound requests from the Bugsink server. The fix in version 2.1.3 aligns URL parsing between validation and transmission phases.

Defensive priority

medium

Recommended defensive actions

• Upgrade Bugsink to version 2.1.3 or later to obtain the patched URL validation logic
• Review webhook configurations for any suspicious URLs that may have been added prior to patching
• Implement network segmentation to restrict outbound HTTP requests from Bugsink instances to expected destinations
• Consider additional SSRF protections such as DNS rebinding mitigations and strict URL canonicalization
• Audit webhook delivery logs for anomalous request patterns or unexpected destination hosts

Evidence notes

Official CVE record published 2026-05-26; GitHub Security Advisory GHSA-fp53-qcf8-2xx2 confirms fix in version 2.1.3; commit 940d2df635e06803ef658666d734306942db5cc7 contains remediation. CVSS 3.1 score 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. CWE-918 (Server-Side Request Forgery) identified as primary weakness.

Official resources