PatchSiren cyber security CVE debrief
CVE-2026-47715 bugsink CVE debrief
CVE-2026-47715 is a project-boundary authorization bypass in Bugsink, a self-hosted error tracking tool. Prior to version 2.2.0, the application failed to validate that an event identifier provided in the URL belonged to the issue specified in the same URL. This allowed authenticated users with access to one project to view event data—including stacktraces, details, and breadcrumbs—from other projects by manipulating the event identifier in issue event page URLs. The vulnerability stems from missing authorization checks that should have enforced project-level isolation when retrieving event data. The CVSS 3.1 score of 3.1 (Low severity) reflects the requirement for authenticated access and the high attack complexity due to the need for valid credentials and knowledge of event identifiers. The issue was resolved in Bugsink 2.2.0 by implementing proper validation to ensure events are only returned when they belong to the requesting user's authorized project and the specified issue.
- Vendor
- bugsink
- Product
- Unknown
- CVSS
- LOW 3.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running self-hosted Bugsink instances for error tracking and application monitoring. Security teams responsible for authorization controls in multi-tenant or multi-project self-hosted applications. Developers maintaining Bugsink deployments or evaluating self-hosted error tracking solutions with project-level data isolation requirements.
Technical summary
The vulnerability exists in Bugsink's issue event page views, which accept an event identifier from the URL path or query parameters. In affected versions (< 2.2.0), the application performs a direct lookup of the event by identifier without verifying that the event belongs to the issue specified in the URL or that the requesting user has authorization to access the project containing that event. This creates a horizontal authorization bypass where users with legitimate access to Project A can construct URLs to view events from Project B by supplying valid event IDs from the target project. The affected views include stacktrace display, event details, and breadcrumb navigation pages. The fix in 2.2.0 adds authorization checks that validate the event belongs to both the specified issue and a project accessible to the authenticated user.
Defensive priority
medium
Recommended defensive actions
- Upgrade Bugsink to version 2.2.0 or later to remediate the authorization bypass vulnerability
- Review access logs for unusual cross-project event access patterns if running affected versions prior to 2.2.0
- Verify that authentication and authorization controls properly enforce project boundaries in custom deployments
- Monitor for additional security advisories from the Bugsink project for related authorization issues
Evidence notes
The vulnerability description and fix version are sourced from the official GitHub Security Advisory and NVD entry. The CVSS vector (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) confirms network attack vector with high complexity, low privileges required, and low confidentiality impact. CWE-639 (Authorization Bypass Through User-Controlled Key) is the assigned weakness classification.
Official resources
Disclosed 2026-05-26 via GitHub Security Advisory GHSA-vx2f-6m6h-9frf and NVD. The vendor released a fix in version 2.2.0 on the same day. No known exploitation in the wild has been reported.