How is CVE-2026-42071 exploited?

Network reachability (required): The vulnerable REST and SOAP API endpoints are exposed over the network, so an attacker must be able to reach the MantisBT service remotely. Authentication (required): A valid MantisBT account at Reporter privilege level or above is required; any standard low-privilege account is sufficient to exploit this flaw. Victim interaction (not-required): The attacker makes direct API requests and does not need any action from another user to retrieve private bugnote attachments. Attack complexity (info): Exploitation is reliable and condition-free: no race condition, specific memory layout, or unusual environmental state is needed beyond possessing a valid account.

What is the impact of CVE-2026-42071?

Reads the binary or text content of file attachments on private bugnotes that the attacker's account is not authorized to view, exposing confidential issue-tracking data. Gains limited write-side impact consistent with the VI:L token, such as minor manipulation of issue-related data reachable through the same API surface. Causes limited availability disruption consistent with the VA:L token, such as degraded responsiveness of the file-download API under repeated or abusive requests. Impact is contained to the MantisBT application itself; the CVSS SC:N/SI:N/SA:N tokens indicate no scope change into adjacent systems or infrastructure.

Back to search

HIGHCVE-2026-42071Published 2026-05-28Modified 2026-05-29CNA GitHub_M

CVE-2026-42071: MantisBT: Private Bugnote Attachment Content Leak via REST API

Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A missing authorization check in Mantis Bug Tracker (MantisBT) versions 2.23.0 through 2.28.1 allows any authenticated user with Reporter-level access or higher to download file attachments on private bugnotes they are not permitted to view. The flaw is reachable over the network via the REST API endpoint GET /api/rest/issues/{id}/files and the SOAP API mc_issue_attachment_get endpoint, requiring only a valid low-privilege account with no additional interaction. Successful exploitation gives attackers read access to confidential attachment content, and limited write and availability impact is also present. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle MantisBT. Any image carrying a MantisBT version in the affected range (2.23.0 to 2.28.1) is flagged automatically.

Available

Triage

HarborGuard scores this vulnerability at CVSS 7.2 HIGH and is capable of weighting that score against each customer environment's compliance policy to reflect local risk tolerance. Routed findings land in the appropriate team inbox based on per-org routing rules, so the right people see the alert without manual triage.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment MantisBT 2.28.2 or a later release is confirmed. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR against affected workloads will be triggered automatically once an upstream fix lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable REST and SOAP API endpoints are exposed over the network, so an attacker must be able to reach the MantisBT service remotely.
AuthenticationRequired
A valid MantisBT account at Reporter privilege level or above is required; any standard low-privilege account is sufficient to exploit this flaw.
Victim interactionNot required
The attacker makes direct API requests and does not need any action from another user to retrieve private bugnote attachments.
Attack complexityDetail
Exploitation is reliable and condition-free: no race condition, specific memory layout, or unusual environmental state is needed beyond possessing a valid account.

Blast Radius

Reads the binary or text content of file attachments on private bugnotes that the attacker's account is not authorized to view, exposing confidential issue-tracking data.
Gains limited write-side impact consistent with the VI:L token, such as minor manipulation of issue-related data reachable through the same API surface.
Causes limited availability disruption consistent with the VA:L token, such as degraded responsiveness of the file-download API under repeated or abusive requests.
Impact is contained to the MantisBT application itself; the CVSS SC:N/SI:N/SA:N tokens indicate no scope change into adjacent systems or infrastructure.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published yet, HarborGuard continuously re-checks the MantisBT advisory on every ingest cycle and will surface a patched-image rebuild the moment an upstream release (expected at 2.28.2) is confirmed. In the interim, compensating controls worth considering include restricting network access to the MantisBT REST and SOAP API endpoints via network policy or an API gateway, applying egress filtering to limit what data the service can expose externally, and reviewing MantisBT access control settings to reduce the number of accounts at Reporter level or above. For customers with auto-remediation enabled, once the upstream fix is published HarborGuard will rebuild affected images at the patched version, run a regression test suite, and open a PR against affected workloads without manual intervention.

See how HarborGuard automates this

CVSS v4.0: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

mantisbt / mantisbt
>= 2.23.0, < 2.28.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

References