CVE-2026-44502: Bunsink has an SSRF bypass in `validate_webhook_url`

May 8, 2026

Bugsink’s webhook URL validation in versions 2.1.2 and earlier could be (partially) bypassed because of a mismatch in URL parsing.

In some malformed URLs, Python’s standard URL parser (urllib) and the HTTP client stack (requests / urllib3) do not agree on which host is actually being targeted. That could allow a webhook URL to pass Bugsink’s outbound-host checks while the actual HTTP request is sent somewhere else.

References

github.com/advisories/GHSA-fp53-qcf8-2xx2
github.com/bugsink/bugsink
github.com/bugsink/bugsink/commit/940d2df635e06803ef658666d734306942db5cc7
github.com/bugsink/bugsink/releases/tag/2.1.3
github.com/bugsink/bugsink/security/advisories/GHSA-fp53-qcf8-2xx2
nvd.nist.gov/vuln/detail/CVE-2026-44502

Code Behaviors & Features

Detect and mitigate CVE-2026-44502 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →