CVE-2026-47716: Broken Object Level Authorization in Bugsink Bulk Issue Actions
Vulnerability ID: CVE-2026-47716
CVSS Score: 3.1
Published: 2026-06-05
Bugsink prior to version 2.2.0 is vulnerable to Broken Object Level Authorization (BOLA). The issue list view authorizes access based on the project in the URL path but applies requested bulk actions to submitted issue UUIDs globally, without verifying project ownership.
TL;DR
Bugsink before 2.2.0 allows authenticated users to execute bulk actions (such as resolving or muting issues) on cross-project issues by supplying unauthorized issue UUIDs in POST requests.
Technical Details
- CWE ID: CWE-639
- Attack Vector: Network (AV:N)
- CVSS Score: 3.1
- EPSS Score: 0.00029
- Impact: Low Integrity (I:L)
- Exploit Status: None (no public exploits)
- KEV Status: Not Listed
Affected Systems
- Bugsink
-
Bugsink: < 2.2.0 (Fixed in:
2.2.0)
Mitigation Strategies
- Upgrade Bugsink to version 2.2.0 or later.
- Restrict network access to authenticated users and limit exposure of issue UUIDs.
Remediation Steps:
- Identify running Bugsink deployments.
- Update the deployment to pull image version 2.2.0 or newer.
- Verify that issue bulk action requests for unauthorized projects now return standard handling or validation failure without altering resource states.
References
- https://github.com/bugsink/bugsink/security/advisories/GHSA-g5vc-q7qc-v939
- https://github.com/bugsink/bugsink/releases/tag/2.2.0
- https://github.com/bugsink/bugsink/commit/1a98424a87cc95bdb9b2ee3acfc86c0ee67db139
- https://www.cve.org/CVERecord?id=CVE-2026-47716
Read the full report for CVE-2026-47716 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)