CVE-2026-42071
MantisBT: Private Bugnote Attachment Content Leak via REST API
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2.
| CWE | CWE-862 |
| Vendor | mantisbt |
| Product | mantisbt |
| Published | May 28, 2026 |
| Last Updated | May 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for mantisbt mantisbt
Be the first to know when new unknown vulnerabilities affecting mantisbt mantisbt are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
mantisbt / mantisbt
>= 2.23.0, < 2.28.2
References
github.com: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8 github.com: https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071 mantisbt.org: https://mantisbt.org/bugs/view.php?id=27039 mantisbt.org: https://mantisbt.org/bugs/view.php?id=36985 mantisbt.org: https://mantisbt.org/bugs/view.php?id=37092