Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2.
Published: 2026-05-28
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the file visibility function of Mantis Bug Tracker allows any authenticated user with a REPORTER+ role to retrieve attachments from private bugnotes via the REST API endpoint GET /api/rest/issues/{id}/files and the SOAP API mc_issue_attachment_get. This defect enables the exfiltration of data that should remain confidential, thereby compromising the confidentiality of sensitive project information.

Affected Systems

The vulnerability affects MantisBT from version 2.23.0 through 2.28.1. The fix is available in 2.28.2 and later releases.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate to high severity. No EPSS score is available, so the exact likelihood of exploitation cannot be quantified, but any authenticated user can exploit the flaw via the documented REST or SOAP endpoints. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known large‑scale exploitation yet.

Generated by OpenCVE AI on May 28, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MantisBT to version 2.28.2 or later to apply the vendor patch.
  • If an upgrade is delayed, restrict access to the REST and SOAP file download endpoints through network controls or API gateway policies so that only trusted networks or service accounts can call them.
  • Review role assignments and limit the REPORTER+ role to trusted users, or revoke the role from accounts that do not require access to private bugnotes.

Generated by OpenCVE AI on May 28, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pw5x-2mf9-3xc8 MantisBT has a Private Bugnote Attachment Content Leak via REST API
History

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2.
Title MantisBT: Private Bugnote Attachment Content Leak via REST API
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T13:56:52.065Z

Reserved: 2026-04-23T19:17:30.564Z

Link: CVE-2026-42071

cve-icon Vulnrichment

Updated: 2026-05-29T13:56:47.471Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T21:16:30.017

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-42071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T22:15:06Z

Weaknesses