CVE-2026-42070 mantisbt CVE debrief

Who should care

Organizations running MantisBT instances with multi-user access, particularly those exposing SOAP APIs to external integrations or with UPDATER role users who should not modify others' time tracking data.

Technical summary

The mc_issue_update() SOAP API endpoint in MantisBT fails to validate that the requesting user meets the DEVELOPER threshold (level 55) required for bugnote modifications. Users with update_bug_threshold access (UPDATER, level 25 by default) can supply bugnote parameters that alter view state and time tracking data on notes they do not own. The mc_issue_note_update() function correctly enforces the higher threshold, but mc_issue_update() processes equivalent operations without equivalent checks. This inconsistency allows horizontal privilege escalation within the issue tracking system.

Defensive priority

medium

Recommended defensive actions

• Upgrade MantisBT to version 2.28.2 or later
• Review user role assignments for accounts with update_bug_threshold access
• Audit bugnote modification logs for unauthorized changes between 2026-05-28 and patch deployment
• Restrict SOAP API access to trusted networks if immediate patching is not feasible
• Verify mc_issue_note_update() permission checks are enforced consistently across API endpoints

Evidence notes

Official GitHub Security Advisory GHSA-pq86-j2c2-47f6 confirms the authorization bypass and fix version. Commit 6e58fae4f22efdc3987f903c8ba2611de17a9435 contains the remediation. MantisBT bug tracker entries 37089 and 37093 document the issue.

Official resources