Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-xq7x-rtzx-wkef
Vulnerability ID VCID-xq7x-rtzx-wkef
Aliases CVE-2026-42070
GHSA-pq86-j2c2-47f6
Summary MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API The mc_issue_update() function in MantisBT allows users having *update_bug_threshold* access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. ### Impact 1. UPDATER can edit notes by DEVELOPER/MANAGER/ADMIN — bypassing the DEVELOPER threshold 2. UPDATER can change private notes to public — exposing confidential internal discussion 3. UPDATER can change public notes to private — hiding information from reporters/viewers ### Patches - 6e58fae4f22efdc3987f903c8ba2611de17a9435 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security This advisory's contents was largely copied from Tristan's well-written report.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-863 Incorrect Authorization
System Score Found at
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2026-42070
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2026-42070
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2026-42070
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-pq86-j2c2-47f6
cvssv4 5.3 https://github.com/mantisbt/mantisbt
generic_textual MODERATE https://github.com/mantisbt/mantisbt
cvssv4 5.3 https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435
generic_textual MODERATE https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435
ssvc Track https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435
cvssv3.1_qr MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
cvssv4 5.3 https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
generic_textual MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
ssvc Track https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
cvssv4 5.3 https://mantisbt.org/bugs/view.php?id=37089
generic_textual MODERATE https://mantisbt.org/bugs/view.php?id=37089
ssvc Track https://mantisbt.org/bugs/view.php?id=37089
cvssv4 5.3 https://mantisbt.org/bugs/view.php?id=37093
generic_textual MODERATE https://mantisbt.org/bugs/view.php?id=37093
ssvc Track https://mantisbt.org/bugs/view.php?id=37093
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-42070
https://github.com/mantisbt/mantisbt
https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
https://mantisbt.org/bugs/view.php?id=37089
https://mantisbt.org/bugs/view.php?id=37093
GHSA-pq86-j2c2-47f6 https://github.com/advisories/GHSA-pq86-j2c2-47f6
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T13:49:49Z/ Found at https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T13:49:49Z/ Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://mantisbt.org/bugs/view.php?id=37089
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T13:49:49Z/ Found at https://mantisbt.org/bugs/view.php?id=37089
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://mantisbt.org/bugs/view.php?id=37093
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T13:49:49Z/ Found at https://mantisbt.org/bugs/view.php?id=37093
Exploit Prediction Scoring System (EPSS)
Percentile 0.13693
EPSS Score 0.00043
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:03:04.667658+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pq86-j2c2-47f6/GHSA-pq86-j2c2-47f6.json 38.6.0