PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42071 mantisbt CVE debrief

Mantis Bug Tracker (MantisBT) versions 2.23.0 through 2.28.1 contain a missing authorization check in the file visibility function that allows any authenticated user with REPORTER privileges or higher to download attachments on private bugnotes they should not be able to access. The vulnerability affects both the REST API endpoint GET /api/rest/issues/{id}/files and the SOAP API mc_issue_attachment_get endpoint. This represents a confidentiality breach where users can access sensitive attachments intended to be restricted to specific project members or higher privilege levels. The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and high impact to confidentiality of victim data. The vulnerability was fixed in version 2.28.2 with a commit addressing the authorization gap. Organizations running affected versions should prioritize upgrading to 2.28.2 or later, particularly those hosting MantisBT instances with sensitive bug reports containing confidential attachments.

Vendor
mantisbt
Product
Unknown
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running MantisBT instances with confidential bug reports, particularly those with external reporters or multi-tenant deployments where bugnote privacy boundaries are security-critical

Technical summary

A missing authorization check in MantisBT's file visibility function (CWE-862) allows authenticated users with REPORTER+ privileges to bypass access controls and download attachments from private bugnotes. The vulnerability exists in both REST API (GET /api/rest/issues/{id}/files) and SOAP API (mc_issue_attachment_get) endpoints. Affected versions: 2.23.0 through 2.28.1. Fixed in 2.28.2.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade MantisBT to version 2.28.2 or later to remediate the missing authorization check
  • Review access logs for unusual attachment download patterns by REPORTER-level users via REST API (GET /api/rest/issues/{id}/files) or SOAP API (mc_issue_attachment_get)
  • Audit private bugnotes with attachments to identify potential unauthorized access
  • Implement additional access controls at the web server or API gateway layer to restrict attachment endpoints if immediate patching is not feasible
  • Monitor for exploitation attempts targeting attachment download endpoints

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Affected version range (2.23.0 to 2.28.1) and fix version (2.28.2) confirmed through GitHub security advisory and commit reference. CVSS 4.0 vector and score (7.2 HIGH) from NVD source data. CWE-862 (Missing Authorization) classification from [email protected] source. API endpoints and minimum privilege level (REPORTER+) derived from CVE description.

Official resources

2026-05-28