Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2.
Published: 2026-05-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mantis Bug Tracker contains a flaw in the mc_issue_update() function. Users who can update bugs (the update_bug_threshold role, typically DEFAULT UPDATER) are permitted to edit the notes attached to other users’ bug reports, thus bypassing the stricter DEVELOPER level guard normally required by mc_issue_note_update(). This allows an attacker to alter existing notes, change their visibility state, or tamper with time-tracking fields on any bugnote they should not be able to influence, undermining the integrity of issue history.

Affected Systems

Every installation of MantisBT with a version older than 2.28.2 is vulnerable. The issue exists in the core MantisBT product as distributed by mantisbt:mantisbt. Users granted the UPDATER privilege under the default role hierarchy can exploit the flaw, so systems that allow non-developer users to edit bugs are affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk, and the EPSS score is not available, making it difficult to gauge the current exploitation probability. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is an authenticated internal or internal‑authenticated user possessing UPDATE_BUG_THRESHOLD access, who would invoke the Issue Update API to reach the vulnerable endpoint. Such a user could modify or delete bugnotes, corrupt project records, and potentially erode stakeholder trust.

Generated by OpenCVE AI on May 28, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MantisBT to 2.28.2 or newer to apply the vendor fix
  • Restrict or remove the UPDATE_BUG_THRESHOLD permission from roles that are not developers
  • Disable or limit the use of the mc_issue_update() API for users below DEVELOPER level

Generated by OpenCVE AI on May 28, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pq86-j2c2-47f6 MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API
History

Thu, 28 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2.
Title MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T20:28:20.369Z

Reserved: 2026-04-23T19:17:30.564Z

Link: CVE-2026-42070

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-28T21:16:29.830

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-42070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T22:15:06Z

Weaknesses