PYSEC-2026-2403

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/bugsink/PYSEC-2026-2403.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2403
Aliases
Published
2026-07-13T15:46:15.452959Z
Modified
2026-07-13T16:31:39.074820265Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Bugsink: DOS using large numbers of event tags
Details

Summary

In affected versions, Bugsink stores every tag supplied with an incoming event. An event with an unusually large number of custom (i.e. supplied by an attacker) tags can therefore make ingestion spend more time than intended writing tag rows.

Bugsink uses a single-writer database architecture. That keeps the implementation simple, but it also means one expensive write transaction can delay other event digestion while it is running. In this case, it makes ingestion of other events wait until the transaction that writes the tags finishes, which effectively causes a temporary denial of service for other events.

Impact

Submitting such an event requires a valid project DSN. DSNs are sometimes visible in client-side applications, so they should not be treated as a strong security boundary, but the issue is still limited to ingestion for a Bugsink instance that accepts the event.

The impact is availability-only. The issue does not expose stored data, modify existing events, or allow code execution.

Mitigation

Update to version 2.2.2, which caps the number of tags stored for a single event. The default cap is 100 tags and can be changed with MAX_EVENT_TAGS.

References

Affected packages

PyPI / bugsink

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.2

Affected versions

0.*
0.0.1
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
2.*
2.0.0a1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.1.0
2.1.1
2.1.2
2.1.3
2.2.0
2.2.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/bugsink/PYSEC-2026-2403.yaml"