A missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint.
None
Thanks to the following security researchers for independently discovering and responsibly reporting the issue.
- Vishal Shukla
- Tristan Madani (@TristanInSec) from Talence Security
- Tang Cheuk Hei (@siunam321)
This advisory's contents was largely copied from Tristan's well-written report.
| Score | Percentile |
|---|---|
| 0.05% | 14.65% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.2 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-pw5x-2mf9-3xc8 ↗ |
| CVE | CVE-2026-42071 ↗ |
| CWE id | Name |
|---|---|
| CWE-862 | Missing Authorization |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | mantisbt/mantisbt | >= 2.23.0, <= 2.28.1 | 2.28.2 | — |