PatchSiren cyber security CVE debrief
CVE-2026-47716 bugsink CVE debrief
A broken access control vulnerability in Bugsink's issue list view allows authenticated users with low privileges to perform unauthorized bulk actions on issues outside their authorized project scope. The application validates project-level access based on the URL parameter but fails to verify that submitted issue IDs belong to that same project before executing bulk operations. This authorization gap permits cross-project issue manipulation. The vulnerability is classified as low severity due to the high attack complexity and limited impact (integrity only, no confidentiality or availability impact). The issue affects all versions prior to 2.2.0 and was disclosed through GitHub's security advisory program.
- Vendor
- bugsink
- Product
- Unknown
- CVSS
- LOW 3.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running self-hosted Bugsink instances prior to 2.2.0 with multi-project deployments and role-based access controls; security teams monitoring for authorization bypass patterns in issue tracking systems; developers maintaining forked or customized Bugsink deployments
Technical summary
The Bugsink error tracking platform contains an insecure direct object reference (IDOR) variant in its issue list bulk action functionality. The view handler retrieves the project from URL parameters for initial authorization, then applies user-requested bulk operations (status changes, assignments, resolutions) to arbitrary issue IDs submitted in the request body without secondary ownership verification. This architectural gap allows authenticated users with legitimate access to one project to manipulate issues belonging to other projects by crafting requests with valid project URLs but foreign issue identifiers. The vulnerability manifests as CWE-639 (Authorization Bypass Through User-Controlled Key) and requires network access, valid low-privilege credentials, and high attack complexity due to the need to identify valid issue IDs from other projects. Remediation in version 2.2.0 adds ownership validation ensuring all target issues belong to the authorized project before action execution.
Defensive priority
LOW
Recommended defensive actions
- Upgrade to Bugsink version 2.2.0 or later to remediate this vulnerability
- Review application logs for bulk action requests with mismatched project/issue ID combinations prior to upgrade
- Implement additional authorization checks in custom deployments to verify issue ownership against project scope before bulk operations
- Audit user permissions to ensure principle of least privilege for project access
- Monitor for anomalous bulk action patterns across project boundaries
Evidence notes
Vulnerability description sourced from NVD record with CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N. CWE-639 (Authorization Bypass Through User-Controlled Key) identified as primary weakness. Fix confirmed in release 2.2.0 per GitHub security advisory GHSA-g5vc-q7qc-v939.
Official resources
2026-05-26