Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-es4b-p6jh-7fgf
Vulnerability ID VCID-es4b-p6jh-7fgf
Aliases CVE-2026-42071
GHSA-pw5x-2mf9-3xc8
Summary MantisBT has a Private Bugnote Attachment Content Leak via REST API A missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. ### Impact - REPORTER (access level 25) can view file attachments that were uploaded to private bugnotes by DEVELOPER/MANAGER/ADMIN users - Private bugnotes are intended for internal developer discussion; their attachments (logs, screenshots, patches) should be equally protected - The web UI is NOT affected — it filters through bugnote_get_all_visible_bugnotes() first ### Patches - 029d9d203d9e4ae96b3e59d552fa7395cc1e5071 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security - Tang Cheuk Hei (@siunam321) This advisory's contents was largely copied from Tristan's well-written report.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-862 Missing Authorization
System Score Found at
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2026-42071
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2026-42071
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2026-42071
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-pw5x-2mf9-3xc8
cvssv4 7.2 https://github.com/advisories/GHSA-xjmx-cprh-646r
generic_textual HIGH https://github.com/advisories/GHSA-xjmx-cprh-646r
cvssv4 7.2 https://github.com/mantisbt/mantisbt
generic_textual HIGH https://github.com/mantisbt/mantisbt
cvssv4 7.2 https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071
generic_textual HIGH https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071
ssvc Track https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071
cvssv3.1_qr HIGH https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8
cvssv4 7.2 https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8
generic_textual HIGH https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8
ssvc Track https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8
cvssv4 7.2 https://mantisbt.org/bugs/view.php?id=27039
generic_textual HIGH https://mantisbt.org/bugs/view.php?id=27039
ssvc Track https://mantisbt.org/bugs/view.php?id=27039
cvssv4 7.2 https://mantisbt.org/bugs/view.php?id=36985
generic_textual HIGH https://mantisbt.org/bugs/view.php?id=36985
ssvc Track https://mantisbt.org/bugs/view.php?id=36985
cvssv4 7.2 https://mantisbt.org/bugs/view.php?id=37092
generic_textual HIGH https://mantisbt.org/bugs/view.php?id=37092
ssvc Track https://mantisbt.org/bugs/view.php?id=37092
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-42071
https://github.com/advisories/GHSA-xjmx-cprh-646r
https://github.com/mantisbt/mantisbt
https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8
https://mantisbt.org/bugs/view.php?id=27039
https://mantisbt.org/bugs/view.php?id=36985
https://mantisbt.org/bugs/view.php?id=37092
GHSA-pw5x-2mf9-3xc8 https://github.com/advisories/GHSA-pw5x-2mf9-3xc8
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://github.com/advisories/GHSA-xjmx-cprh-646r
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T13:56:42Z/ Found at https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T13:56:42Z/ Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://mantisbt.org/bugs/view.php?id=27039
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T13:56:42Z/ Found at https://mantisbt.org/bugs/view.php?id=27039
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://mantisbt.org/bugs/view.php?id=36985
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T13:56:42Z/ Found at https://mantisbt.org/bugs/view.php?id=36985
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://mantisbt.org/bugs/view.php?id=37092
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T13:56:42Z/ Found at https://mantisbt.org/bugs/view.php?id=37092
Exploit Prediction Scoring System (EPSS)
Percentile 0.14742
EPSS Score 0.00046
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:04:29.291380+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pw5x-2mf9-3xc8/GHSA-pw5x-2mf9-3xc8.json 38.6.0