CVE-2026-47728: Multi-Tenant Isolation Bypass via Unscoped Debug ID Resolution in Bugsink
Vulnerability ID: CVE-2026-47728
CVSS Score: 4.3
Published: 2026-06-05
A critical authorization bypass vulnerability in Bugsink prior to version 2.2.0 allows authenticated users to access and resolve sourcemaps and debug files belonging to other projects on the same instance.
TL;DR
Bugsink prior to 2.2.0 fails to scope sourcemap and debug-file lookups to the owning project, allowing cross-project exposure of original source code.
Technical Details
- CWE ID: CWE-862
- Attack Vector: Network (AV:N)
- CVSS Base Score: 4.3 (Medium)
- EPSS Score: 0.00028
- Exploit Status: None
- CISA KEV Status: Not Listed
Affected Systems
- Bugsink
-
Bugsink: < 2.2.0 (Fixed in:
2.2.0)
Code Analysis
Commit: a761c6d
Scope sourcemap metadata to projects
Commit: 2321b37
Additional scope fixes for sourcemaps
Commit: 7d0faef
Address positional argument shifting in minidump handling
Mitigation Strategies
- Upgrade Bugsink to version 2.2.0 or higher
- Run the legacy sourcemap deletion command to remove unassociated metadata
- Re-upload sourcemaps with explicit project slugs
Remediation Steps:
- Pull the Bugsink image or package for version 2.2.0 or newer.
- Apply database migrations using standard deployment commands.
- Execute 'bugsink-manage delete_legacy_sourcemaps' to purge legacy, projectless mappings.
- Update deployment pipelines to include explicit '--project' parameters when uploading assets via sentry-cli.
References
Read the full report for CVE-2026-47728 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)