CVE-2026-42070

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

The mc issue update() function in MantisBT allows users having update bug threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc issue note update() function.

Impact

UPDATER can edit notes by DEVELOPER/MANAGER/ADMIN — bypassing the DEVELOPER threshold
UPDATER can change private notes to public — exposing confidential internal discussion
UPDATER can change public notes to private — hiding information from reporters/viewers

Patches

6e58fae4f22efdc3987f903c8ba2611de17a9435

Workarounds

None

Credits

Thanks to the following security researchers for independently discovering and responsibly reporting the issue.

Vishal Shukla
Tristan Madani (@TristanInSec) from Talence Security

This advisory's contents was largely copied from Tristan's well-written report.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-42070

GHSA-PQ86-J2C2-47F6

Affected Products

Mantisbt/Mantisbt

CVE-2026-42070

Impact

Patches

Workarounds

Credits

Weakness Enumeration

Related Identifiers

Affected Products

References · 6