Missing Authorization Check in Mantis Bug Tracker Allows Unauthorized Access to Files
CVE-2026-42071
7.2HIGH
What is CVE-2026-42071?
Mantis Bug Tracker (MantisBT), an open-source issue tracking system, contains a vulnerability due to a missing authorization check within its file visibility functionality. This flaw affects versions 2.23.0 through 2.28.1, allowing any authenticated user with REPORTER+ access to download attachments from private bug notes that they should not have been able to access. This can occur through specific API endpoints, compromising the confidentiality of sensitive information. This issue has been addressed in version 2.28.2.
Affected Version(s)
mantisbt >= 2.23.0, < 2.28.2
