CVE-2026-42071
MantisBT Unauthorized File Access via REST API
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mantisbt | mantis_bug_tracker | 2.28.2 |
| mantisbt | mantis_bug_tracker | From 2.23.0 (inc) to 2.28.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mantis Bug Tracker (MantisBT) versions 2.23.0 to 2.28.1. It is caused by a missing authorization check in the file visibility function. Because of this, any authenticated user with at least REPORTER+ permissions can download attachments on private bugnotes that they should not have access to. This unauthorized access can be done via the REST API endpoint GET /api/rest/issues/{id}/files or the SOAP API mc_issue_attachment_get endpoint. The issue is fixed in version 2.28.2.
How can this vulnerability impact me? :
This vulnerability allows unauthorized users with basic authenticated access to download private attachments from bugnotes they should not be able to see. This can lead to exposure of sensitive or confidential information stored in those attachments, potentially causing data leaks or breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Mantis Bug Tracker to version 2.28.2 or later, where the missing authorization check has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Mantis Bug Tracker allows any authenticated user with reporter-level access to download attachments on private bugnotes they should not be authorized to access. This unauthorized access to potentially sensitive information could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive data.
By exposing private attachments without proper authorization checks, the vulnerability undermines confidentiality and access control requirements mandated by these standards, potentially resulting in non-compliance and associated legal or regulatory consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows authenticated users with REPORTER+ access to download attachments from private bugnotes via the REST API endpoint GET /api/rest/issues/{id}/files and the SOAP API mc_issue_attachment_get endpoint, bypassing proper authorization checks.
To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting these specific API endpoints, especially those that include file download requests or file listing requests for private bugnotes.
Suggested commands to detect potential exploitation attempts include searching web server logs or network traffic for suspicious API calls:
- Using grep on web server logs to find REST API file listing requests: grep "/api/rest/issues/" /var/log/apache2/access.log | grep "/files"
- Searching for SOAP API mc_issue_attachment_get calls in logs or network captures, if logged.
- Using network monitoring tools (e.g., Wireshark or Zeek) to filter HTTP GET requests to endpoints matching /api/rest/issues/*/files or SOAP requests invoking mc_issue_attachment_get.
Additionally, reviewing user activity logs for authenticated users with REPORTER or higher roles accessing these endpoints can help identify unauthorized access attempts.