PT-2026-39891 · Mantisbt · Mantisbt
Published
2026-05-11
·
Updated
2026-05-28
·
CVE-2026-42071
CVSS v4.0
7.2
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
MantisBT (affected versions not specified)
Description
A missing authorization check in the file visibility function allows any authenticated user with REPORTER level access or higher to download attachments from private bugnotes they are not authorized to access. This occurs through the REST API endpoint "/api/rest/issues/{id}/files" and the SOAP API endpoint
mc issue attachment get(). Private bugnotes are designed for internal developer discussions, and their attachments, such as logs, screenshots, and patches, are intended to be protected. The web user interface is not affected as it utilizes the bugnote get all visible bugnotes() function for filtering.Recommendations
Apply the patch 029d9d203d9e4ae96b3e59d552fa7395cc1e5071.
Restrict access to the "/api/rest/issues/{id}/files" REST API endpoint and the
mc issue attachment get() SOAP API endpoint to minimize the risk of unauthorized file downloads.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mantisbt