Missing Authorization Check in Mantis Bug Tracker Allows Unauthorized Access to Files
CVE-2026-42071

7.2HIGH

Key Information:

Vendor

Mantisbt

Status
Vendor
CVE Published:
28 May 2026

What is CVE-2026-42071?

Mantis Bug Tracker (MantisBT), an open-source issue tracking system, contains a vulnerability due to a missing authorization check within its file visibility functionality. This flaw affects versions 2.23.0 through 2.28.1, allowing any authenticated user with REPORTER+ access to download attachments from private bug notes that they should not have been able to access. This can occur through specific API endpoints, compromising the confidentiality of sensitive information. This issue has been addressed in version 2.28.2.

Affected Version(s)

mantisbt >= 2.23.0, < 2.28.2

References

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.