GHSA-G5VC-Q7QC-V939

Vulnerability from github – Published: 2026-06-05 21:43 – Updated: 2026-06-05 21:43
VLAI
Summary
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known
Details

Description

Bugsink’s issue list supports bulk actions such as resolving or muting selected issues. In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project.

This is a project-boundary authorization issue: a logged-in user with access to one project can change the state of an issue in another project. However, the issue is mitigated by two factors. First, the attacker needs to already know a valid target issue UUID; there is no issue enumeration path here, and guessing UUIDs is not practical. Second, Bugsink is commonly self-hosted within a single trust domain, and Hosted Bugsink gives each tenant a separate Bugsink instance, so cross-project access does not normally imply cross-tenant access.

This has been fixed by requiring bulk issue actions to operate only on issues belonging to the authorized project.

Impact

Low-severity cross-project issue state modification, requiring authentication and prior knowledge of a valid issue UUID.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bugsink"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T21:43:56Z",
    "nvd_published_at": "2026-05-26T17:16:52Z",
    "severity": "LOW"
  },
  "details": "### Description\nBugsink\u2019s issue list supports bulk actions such as resolving or muting selected issues. In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project.\n\nThis is a project-boundary authorization issue: a logged-in user with access to one project can change the state of an issue in another project. However, the issue is mitigated by two factors. First, the attacker needs to already know a valid target issue UUID; there is no issue enumeration path here, and guessing UUIDs is not practical. Second, Bugsink is commonly self-hosted within a single trust domain, and Hosted Bugsink gives each tenant a separate Bugsink instance, so cross-project access does not normally imply cross-tenant access.\n\nThis has been fixed by requiring bulk issue actions to operate only on issues belonging to the authorized project.\n\n### Impact\n\nLow-severity cross-project issue state modification, requiring authentication and prior knowledge of a valid issue UUID.",
  "id": "GHSA-g5vc-q7qc-v939",
  "modified": "2026-06-05T21:43:56Z",
  "published": "2026-06-05T21:43:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-g5vc-q7qc-v939"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47716"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bugsink/bugsink"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bugsink/bugsink/releases/tag/2.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Bugsink: Issue bulk actions can affect another project\u2019s issue if its UUID is known"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…