PT-2026-43306 · Bugsink · Bugsink
Susen2
·
Published
2026-05-26
·
Updated
2026-06-06
·
CVE-2026-47716
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Bugsink versions prior to 2.2.0
Description
Bugsink is a self-hosted error tracking tool. A project-boundary authorization issue exists in the issue list view, which supports bulk actions such as resolving or muting selected issues. The system authorizes access based on the project specified in the URL but applies bulk actions to the submitted issue IDs without verifying that those issues belong to the authorized project. This allows an authenticated user with access to one project to modify the state of an issue in another project, provided they possess a valid target issue UUID. Because UUIDs are not easily guessable and there is no enumeration path, the risk is limited. Additionally, since the software is typically self-hosted within a single trust domain or deployed in separate instances per tenant, this does not normally result in cross-tenant access.
Recommendations
Update to version 2.2.0.
Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bugsink