CVE-2026-47728
Bugsink: Project scoping missing in sourcemap and debug-file lookup
描述
### Summary Bugsink before 2.2.0 resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. ### Impact This could disclose source context or symbolication-derived context from another project on the same Bugsink instance. For sourcemaps, the documented upload flow used `sentry-cli sourcemaps upload` with `--project=ignoredfornow`. In other words, Bugsink did not historically treat the project value supplied during sourcemap upload as meaningful project ownership. This was documented, but at the same time the `sentry-cli`, which requires project as a parameter, was the recommended mechanism for uploads. This could reasonably lead people to expect that sourcemaps uploads would respect the provided project-boundary. For minidumps/debug files specifically, the affected functionality also required `FEATURE_MINIDUMPS` to be enabled. That feature was marked experimental. The practical impact is further limited by Bugsink’s deployment model: self-hosted instances are commonly operated within a single organization/trust domain, and Hosted Bugsink uses separate Bugsink instances per tenant. The issue does not cross Hosted Bugsink tenant boundaries. ### Affected Versions 2.1.3 and earlier are affected. ### Patched Versions 2.2.0 fixes this issue. ### Post-Upgrade Notes After upgrading, upload sourcemaps/debug files with project information. To remove legacy projectless sourcemap metadata immediately, run, after upgrading: ``` bugsink-manage delete_legacy_sourcemaps ```
如何修補 CVE-2026-47728
要修補 CVE-2026-47728,請將受影響套件升級到下列已修補版本。
- —升級至 2.2.0 或更新版本
CVE-2026-47728 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-47728 既不在 CISA KEV 也沒有最新的 EPSS 分數。