CVE-2026-47715: Insecure Direct Object Reference (IDOR) / Cross-Project Authorization Bypass in Bugsink
Vulnerability ID: CVE-2026-47715
CVSS Score: 3.1
Published: 2026-06-05
An Insecure Direct Object Reference (IDOR) vulnerability in Bugsink (versions < 2.2.0) allows authenticated users with access to at least one project to view sensitive event details (including stack traces, local/environment variables, and execution breadcrumbs) belonging to other projects, by supplying a known event UUID directly to the issue event URL paths.
TL;DR
Authenticated users can bypass project boundaries to view unauthorized event data (stack traces, variables, breadcrumbs) by providing target event UUIDs directly to issue URL parameters due to a lack of scope enforcement in the Django query logic.
Technical Details
- CWE ID: CWE-639
- Attack Vector: Network (AV:N)
- CVSS v3.1 Score: 3.1 (Low)
- EPSS Score: 0.00028
- Exploit Status: None / No Public Exploit Available
- KEV Status: Not Listed
Affected Systems
- Bugsink (Self-Hosted Error Tracking)
-
Bugsink: < 2.2.0 (Fixed in:
2.2.0)
Code Analysis
Commit: 9128661
Scope issue event lookup to authorized issue
Mitigation Strategies
- Upgrade Bugsink to version 2.2.0 or higher
- Conduct access log reviews to identify unauthorized traversal behavior
- Execute legacy sourcemap deletion scripts to purge unbounded historic assets
Remediation Steps:
- Identify active Bugsink self-hosted deployment version
- Pull the official Bugsink version 2.2.0 or higher package from https://github.com/bugsink/bugsink/releases/tag/2.2.0
- Apply database migrations and restart the Bugsink service
- Execute the management command: python manage.py delete_legacy_sourcemaps
References
- GHSA-vx2f-6m6h-9frf: Bugsink Insecure Direct Object Reference (IDOR) on issue event pages
- Bugsink Security Patch Commit
- Bugsink 2.2.0 Release Notes
- CVE.org Record for CVE-2026-47715
Read the full report for CVE-2026-47715 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)