MantisBT unauthorized disclosure of private project column configuration
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, due to insufficient access-level checks, any non-admin user with access to manage_config_columns_page.php can use the Copy From action to retrieve the columns configuration from a private project they have no access to. This issue is fixed in version 2.27.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In MantisBT versions 2.27.1 and below, non-admin users can copy columns configuration from private projects due to missing access checks, fixed in 2.27.2.
In MantisBT versions 2.27.1 and below, the manage_config_columns_page.php page lacks proper access-level verification when performing a "Copy From" action. This oversight allows any non-admin user who has access to this page (typically users with MANAGER role) to retrieve the columns configuration from any private project, even if they are not a member of that project [1][4].
The attack surface is limited to users who can reach manage_config_columns_page.php, which is typically granted to project managers. By using the "Copy From" function, an attacker can select any project as the source, including private projects they should not be able to read. The copy operation is performed server-side without checking the user's access to the source project [2]. Notably, the reverse "Copy To" operation correctly enforces access controls, so the vulnerability only allows reading, not writing, of configuration data.
The impact is the disclosure of a private project's column configuration, which could reveal sensitive information about how that project organizes its bug tracker, including custom fields or workflow details. An attacker could use this information to gain insights into the structure and processes of restricted projects [4].
The vulnerability was fixed in MantisBT version 2.27.2 via commit [2]. Users are strongly advised to upgrade to this version or later. No workaround is available [4]. The issue was reported by d3vpoo1 [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 2.27.2 | 2.27.2 |
Affected products
2Patches
14fe94f45fa2bAdd access check when copying column settings
1 file changed · +5 −0
manage_columns_copy.php+5 −0 modified@@ -75,6 +75,11 @@ access_ensure_project_level( MANAGER, $t_dst_project_id ); } +# only MANAGERS can read global defaults of a project +if( $f_manage_page && $t_src_project_id != ALL_PROJECTS ) { + access_ensure_project_level( MANAGER, $t_src_project_id ); +} + # user should only be able to set columns for a project that is accessible. if( $t_dst_project_id != ALL_PROJECTS ) { access_ensure_project_level( config_get( 'view_bug_threshold', null, null, $t_dst_project_id ), $t_dst_project_id );
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-g582-8vwr-68h2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62520ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/4fe94f45fa2baea2aeb4b65781d2009e7b4a0bf3ghsax_refsource_MISCWEB
- github.com/mantisbt/mantisbt/security/advisories/GHSA-g582-8vwr-68h2ghsax_refsource_CONFIRMWEB
- mantisbt.org/bugs/view.phpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.