Access Control Flaw in Mantis Bug Tracker Allows Unauthorized Bugnote Modifications
CVE-2026-42070
5.3MEDIUM
What is CVE-2026-42070?
Mantis Bug Tracker, an open source issue tracking system, had a vulnerability where users with the update_bug_threshold access level were able to modify other users’ bugnotes. This allowed unauthorized changes to bugnote content and view states, bypassing the higher DEVELOPER level access normally required. The issue has been resolved in version 2.28.2, improving the integrity of user access rights and data protection.
Affected Version(s)
mantisbt < 2.28.2
