CVE-2026-42070
Deferred Deferred - Pending Action
MantisBT Bugnote Privilege Escalation Vulnerability

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users β€” bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42070
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mantisbt mantis_bug_tracker to 2.28.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows users with UPDATER access to modify bugnotes belonging to other users, including changing their view state from private to public or vice versa. Such unauthorized changes can lead to exposure of confidential discussions or hiding of information, which may result in unauthorized disclosure or improper handling of sensitive data.

Because of this, the vulnerability could negatively impact compliance with data protection regulations such as GDPR or HIPAA, which require strict controls over access to and disclosure of personal or sensitive information. Unauthorized modification of note privacy settings could lead to breaches of confidentiality and data protection requirements.

Executive Summary

This vulnerability exists in Mantis Bug Tracker (MantisBT) versions prior to 2.28.2. It involves the mc_issue_update() function, which allows users with update_bug_threshold access (typically UPDATER role) to edit, change the view state, and modify time tracking on bugnotes that belong to other users. This bypasses the intended access control enforced by the mc_issue_note_update() function, which requires a higher DEVELOPER level (level 55) threshold. Essentially, users with lower privileges can perform actions that should be restricted to more privileged users.

Impact Analysis

The vulnerability allows users with relatively low privileges (UPDATER role) to modify bugnotes created by other users, including editing content, changing visibility, and altering time tracking information. This can lead to unauthorized changes in issue tracking data, potentially causing misinformation, loss of data integrity, and disruption in project management workflows.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mantis Bug Tracker to version 2.28.2 or later, where the issue is fixed.

Additionally, review and restrict user permissions related to update_bug_threshold access to minimize risk until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42070. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart