CVE-2026-47716
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known
描述
### Description Bugsink’s issue list supports bulk actions such as resolving or muting selected issues. In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project. This is a project-boundary authorization issue: a logged-in user with access to one project can change the state of an issue in another project. However, the issue is mitigated by two factors. First, the attacker needs to already know a valid target issue UUID; there is no issue enumeration path here, and guessing UUIDs is not practical. Second, Bugsink is commonly self-hosted within a single trust domain, and Hosted Bugsink gives each tenant a separate Bugsink instance, so cross-project access does not normally imply cross-tenant access. This has been fixed by requiring bulk issue actions to operate only on issues belonging to the authorized project. ### Impact Low-severity cross-project issue state modification, requiring authentication and prior knowledge of a valid issue UUID.
如何修補 CVE-2026-47716
要修補 CVE-2026-47716,請將受影響套件升級到下列已修補版本。
- —升級至 2.2.0 或更新版本
CVE-2026-47716 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-47716 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 2.2.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |