The mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function.
None
Thanks to the following security researchers for independently discovering and responsibly reporting the issue.
- Vishal Shukla
- Tristan Madani (@TristanInSec) from Talence Security
This advisory's contents was largely copied from Tristan's well-written report.
| Score | Percentile |
|---|---|
| 0.04% | 13.59% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-pq86-j2c2-47f6 ↗ |
| CVE | CVE-2026-42070 ↗ |
| CWE id | Name |
|---|---|
| CWE-863 | Incorrect Authorization |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | mantisbt/mantisbt | <= 2.28.1 | 2.28.2 | — |