PatchSiren cyber security CVE debrief
CVE-2026-47728 bugsink CVE debrief
Bugsink, a self-hosted error tracking tool, contained a cross-project sourcemap and debug file lookup vulnerability prior to version 2.2.0. The issue stemmed from insufficient scoping when resolving debug IDs: an authenticated user with access to one project could cause event processing to use sourcemap or debug-file metadata uploaded for a different project within the same Bugsink instance, provided both projects referenced the same debug ID. This represents a missing authorization check (CWE-862) where the system failed to verify that the requesting user had access to the project owning the metadata before using it during event processing. The vulnerability requires network access and valid authentication to a project (low attack complexity, low privileges required), with potential for limited information disclosure if an attacker can control or predict debug IDs across projects. The fix in version 2.2.0 implements proper project-scoped lookups for debug ID resolution.
- Vendor
- bugsink
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running self-hosted Bugsink instances prior to 2.2.0 with multiple projects and untrusted or partially-trusted users. Security teams managing error tracking infrastructure, developers relying on accurate sourcemap resolution for debugging, and compliance officers concerned with cross-tenant data isolation in multi-project deployments.
Technical summary
The vulnerability exists in Bugsink's debug file resolution logic. When processing events, the system resolves sourcemaps and debug files by debug ID without verifying that the authenticated user has access to the project that uploaded the associated metadata. An attacker with access to Project A can craft or trigger events referencing a debug ID that also exists in Project B, causing Bugsink to retrieve and apply Project B's sourcemap/debug-file metadata during Project A's event processing. This is a classic insecure direct object reference (IDOR) pattern applied to debug metadata lookup. The fix implements project-scoped queries ensuring debug ID lookups are constrained to the project context of the requesting user.
Defensive priority
medium
Recommended defensive actions
- Upgrade Bugsink to version 2.2.0 or later to remediate the cross-project debug ID lookup vulnerability
- Review project access controls to ensure principle of least privilege for authenticated users
- Audit debug ID usage patterns across projects to identify potential historical cross-project metadata references
- Monitor for unusual sourcemap resolution behavior in event processing pipelines
- If immediate upgrade is not feasible, restrict project access to trusted users and avoid debug ID collisions across projects
Evidence notes
Vulnerability description and fix version confirmed via GitHub Security Advisory and release notes. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N indicates network-accessible, low-complexity attack requiring low privileges with limited confidentiality impact. CWE-862 (Missing Authorization) classified by GitHub. No KEV listing or known exploitation observed.
Official resources
2026-05-26