VYPR
← All advisories
Moderate severityGHSA Advisory· Published May 11, 2026· Updated May 11, 2026

MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API

CVE-2026-42070

Description

The mc_issue_update() function in MantisBT allows users having *update_bug_threshold* access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function.

### Impact 1. UPDATER can edit notes by DEVELOPER/MANAGER/ADMIN — bypassing the DEVELOPER threshold 2. UPDATER can change private notes to public — exposing confidential internal discussion 3. UPDATER can change public notes to private — hiding information from reporters/viewers

### Patches - 6e58fae4f22efdc3987f903c8ba2611de17a9435

Workarounds

None

Credits

Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security

This advisory's contents was largely copied from Tristan's well-written report.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MantisBT's mc_issue_update() API allows UPDATER-level users to edit any bugnote, bypassing the DEVELOPER threshold, enabling unauthorized modifications and view state changes.

Vulnerability

Details

The mc_issue_update() function in MantisBT's SOAP/REST API performs only a single authorization check at the issue level—update_bug_threshold (default UPDATER, level 40)—before processing embedded bugnote modifications [1][3]. In contrast, the dedicated mc_issue_note_update() function enforces note-level thresholds: update_bugnote_threshold (DEVELOPER, level 55) for non-owners and bugnote_user_edit_threshold for owners [1]. This discrepancy allows any user with UPDATER access to bypass note-level authorization and modify bugnotes belonging to other users.

Exploitation

An authenticated user with UPDATER privileges can craft a request to mc_issue_update() that includes a notes array referencing an existing bugnote ID. The function then directly calls bugnote_set_text(), bugnote_set_view_state(), and bugnote_set_time_tracking() without verifying whether the user has the required note-level permissions [3]. No additional authentication or special network position is required beyond standard API access.

Impact

An attacker can edit the text of any visible bugnote, change its view state (making private notes public or vice versa), and modify time tracking entries [1]. This can expose confidential internal discussions, hide information from reporters, or corrupt audit trails. The vulnerability affects all MantisBT versions with the SOAP/REST API prior to the fix.

Mitigation

The issue is fixed in commit 6e58fae4f22efdc3987f903c8ba2611de17a9435, which adds per-note authorization checks using the appropriate thresholds [4]. The fix is included in MantisBT version 2.28.2 [1]. No workarounds are available; users should upgrade immediately.

References
  1. 0037093: Authorization Bypass in Bugnote Editing via Issue Update API
  2. 0037089: CVE-2026-42070: REST/SOAP mc_issue_update Embedded Note Update Bypasses Note-Level Authorization
  3. Fix Bugnote udpate auth bypass via REST/SOAP API · mantisbt/mantisbt@6e58fae

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mantisbt/mantisbtPackagist
< 2.28.22.28.2

Affected products

2
  • Mantisbt/MantisbtGHSA2 versions
    <= 2.28.1+ 1 more
    • (no CPE)range: <= 2.28.1
    • (no CPE)

Patches

1
6e58fae4f22e

Fix Bugnote udpate auth bypass via REST/SOAP API

https://github.com/mantisbt/mantisbtDamien RegadMay 6, 2026via ghsa
commit
1 file changed · +12 0
  • api/soap/mc_issue_api.php+12 0 modified
    @@ -1173,6 +1173,9 @@ function mc_issue_update( $p_username, $p_password, $p_issue_id, stdClass $p_iss
 			$t_bugnotes_by_id[$t_bugnote->id] = $t_bugnote;
 		}
 
+		$t_update_bugnote_threshold = config_get( 'update_bugnote_threshold', null, $t_user_id, $t_project_id );
+		$t_bugnote_user_edit_threshold = config_get( 'bugnote_user_edit_threshold', null, $t_user_id, $t_project_id );
+
 		foreach( $p_issue['notes'] as $t_note ) {
 			$t_note = ApiObjectFactory::objectToArray( $t_note );
 			$t_view_state = $t_note['view_state'] ?? config_get( 'default_bugnote_view_status' );
@@ -1183,6 +1186,15 @@ function mc_issue_update( $p_username, $p_password, $p_issue_id, stdClass $p_iss
 				$t_view_state_id = mci_get_enum_id_from_objectref( 'view_state', $t_view_state );
 
 				if( array_key_exists( $t_bugnote_id, $t_bugnotes_by_id ) ) {
+					$t_bugnote = $t_bugnotes_by_id[$t_bugnote_id];
+
+					# Make sure user is allowed to edit the individual note
+					$t_user_owns_note = $t_bugnote->reporter_id == $t_user_id;
+					$t_edit_threshold = $t_user_owns_note ? $t_bugnote_user_edit_threshold : $t_update_bugnote_threshold;
+					if( !access_has_bugnote_level( $t_edit_threshold, $t_bugnote_id, $t_user_id ) ) {
+						return mci_fault_access_denied( $t_user_id , "Not allowed to update note $t_bugnote_id" );
+					}
+
 					$t_bugnote_changed = false;
 					$t_bugnote = $t_bugnotes_by_id[$t_bugnote_id];

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.