GHSA-5389-F7VH-WXJ8

Vulnerability from github – Published: 2026-06-05 21:44 – Updated: 2026-06-05 21:44
VLAI
Summary
Bugsink: Project scoping missing in sourcemap and debug-file lookup
Details

Summary

Bugsink before 2.2.0 resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced.

Impact

This could disclose source context or symbolication-derived context from another project on the same Bugsink instance.

For sourcemaps, the documented upload flow used sentry-cli sourcemaps upload with --project=ignoredfornow. In other words, Bugsink did not historically treat the project value supplied during sourcemap upload as meaningful project ownership. This was documented, but at the same time the sentry-cli, which requires project as a parameter, was the recommended mechanism for uploads. This could reasonably lead people to expect that sourcemaps uploads would respect the provided project-boundary.

For minidumps/debug files specifically, the affected functionality also required FEATURE_MINIDUMPS to be enabled. That feature was marked experimental.

The practical impact is further limited by Bugsink’s deployment model: self-hosted instances are commonly operated within a single organization/trust domain, and Hosted Bugsink uses separate Bugsink instances per tenant. The issue does not cross Hosted Bugsink tenant boundaries.

Affected Versions

2.1.3 and earlier are affected.

Patched Versions

2.2.0 fixes this issue.

Post-Upgrade Notes

After upgrading, upload sourcemaps/debug files with project information.

To remove legacy projectless sourcemap metadata immediately, run, after upgrading:

bugsink-manage delete_legacy_sourcemaps
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bugsink"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T21:44:33Z",
    "nvd_published_at": "2026-05-26T17:16:53Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nBugsink before 2.2.0 resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced.\n\n### Impact\n\nThis could disclose source context or symbolication-derived context from another project on the same Bugsink instance.\n\nFor sourcemaps, the documented upload flow used `sentry-cli sourcemaps upload` with `--project=ignoredfornow`. In other words, Bugsink did not historically treat the project value supplied during sourcemap upload as meaningful project ownership. This was documented, but at the same time the `sentry-cli`, which requires project as a parameter, was the recommended mechanism for uploads. This could reasonably lead people to expect that sourcemaps uploads would respect the provided project-boundary.\n\nFor minidumps/debug files specifically, the affected functionality also required `FEATURE_MINIDUMPS` to be enabled. That feature was marked experimental.\n\nThe practical impact is further limited by Bugsink\u2019s deployment model: self-hosted instances are commonly operated within a single organization/trust domain, and Hosted Bugsink uses separate Bugsink instances per tenant. The issue does not cross Hosted Bugsink tenant boundaries.\n\n### Affected Versions\n2.1.3 and earlier are affected.\n\n### Patched Versions\n2.2.0 fixes this issue.\n\n### Post-Upgrade Notes\n\nAfter upgrading, upload sourcemaps/debug files with project information.\n\nTo remove legacy projectless sourcemap metadata immediately, run, after upgrading:\n\n```\nbugsink-manage delete_legacy_sourcemaps\n```",
  "id": "GHSA-5389-f7vh-wxj8",
  "modified": "2026-06-05T21:44:33Z",
  "published": "2026-06-05T21:44:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-5389-f7vh-wxj8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47728"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bugsink/bugsink"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bugsink/bugsink/releases/tag/2.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Bugsink: Project scoping missing in sourcemap and debug-file lookup"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…