CVE-2026-42070
MantisBT Bugnote Privilege Escalation Vulnerability
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mantisbt | mantis_bug_tracker | to 2.28.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mantis Bug Tracker (MantisBT) versions prior to 2.28.2. It involves the mc_issue_update() function, which allows users with update_bug_threshold access (typically UPDATER role) to edit, change the view state, and modify time tracking on bugnotes that belong to other users. This bypasses the intended access control enforced by the mc_issue_note_update() function, which requires a higher DEVELOPER level (level 55) threshold. Essentially, users with lower privileges can perform actions that should be restricted to more privileged users.
How can this vulnerability impact me? :
The vulnerability allows users with relatively low privileges (UPDATER role) to modify bugnotes created by other users, including editing content, changing visibility, and altering time tracking information. This can lead to unauthorized changes in issue tracking data, potentially causing misinformation, loss of data integrity, and disruption in project management workflows.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Mantis Bug Tracker to version 2.28.2 or later, where the issue is fixed.
Additionally, review and restrict user permissions related to update_bug_threshold access to minimize risk until the upgrade is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users with UPDATER access to modify bugnotes belonging to other users, including changing their view state from private to public or vice versa. Such unauthorized changes can lead to exposure of confidential discussions or hiding of information, which may result in unauthorized disclosure or improper handling of sensitive data.
Because of this, the vulnerability could negatively impact compliance with data protection regulations such as GDPR or HIPAA, which require strict controls over access to and disclosure of personal or sensitive information. Unauthorized modification of note privacy settings could lead to breaches of confidentiality and data protection requirements.