Access Control Flaw in Mantis Bug Tracker Allows Unauthorized Bugnote Modifications
CVE-2026-42070

5.3MEDIUM

Key Information:

Vendor

Mantisbt

Status
Vendor
CVE Published:
28 May 2026

What is CVE-2026-42070?

Mantis Bug Tracker, an open source issue tracking system, had a vulnerability where users with the update_bug_threshold access level were able to modify other users’ bugnotes. This allowed unauthorized changes to bugnote content and view states, bypassing the higher DEVELOPER level access normally required. The issue has been resolved in version 2.28.2, improving the integrity of user access rights and data protection.

Affected Version(s)

mantisbt < 2.28.2

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.