MantisBT, Improper Authorization Bypass, CVE-2026-42071 (High)

Listen to this Post

The root cause is a missing authorization check in the file visibility function of MantisBT. This flaw affects both the REST API endpoint `GET /api/rest/issues/{id}/files` and the SOAP API method mc_issue_attachment_get. Normally, when a user attempts to view or download an attachment, the system should verify if the user has permission to see the parent bugnote. This is what the `bugnote_get_all_visible_bugnotes()` function does for the web UI. However, the API endpoints directly fetch the file by its ID without performing the same ownership or access control validation. As a result, an attacker with `REPORTER` privileges who has no access to a particular private bugnote can still request the attachment ID. Because the API fails to check if the end user is actually allowed to view that specific bugnote, the system serves the file. This grants `REPORTER` users access to sensitive developer materials such as logs, screenshots, and patches attached to private bugnotes, bypassing intended restrictions.
Platform: MantisBT
Version: 2.27.1 and
Vulnerability : missing auth check
Severity: High
date: 2026-05-09

Prediction: immediately (patch available)

What Undercode Say:

curl -X GET "http://target-mantisbt.com/api/rest/issues/1/files" -H "Authorization: <REPORTER_TOKEN>"
curl -X POST "http://target-mantisbt.com/api/soap/mantisconnect.php" -d "<?xml version='1.0' encoding='utf-8'?><SOAP-ENV:Envelope...><mc_issue_attachment_get><issue_id>1</issue_id></mc_issue_attachment_get></SOAP-ENV:Envelope>"

Exploit:

1. Login as `REPORTER` user.

  1. Obtain a private bugnote’s attachment ID via browsing or guessing.
  2. Send request to `GET /api/rest/issues/{bugnote_id}/files` with the user’s auth token.
  3. If successful, the response returns the file’s metadata or raw content, leaking the sensitive information.

Protection from this CVE:

Apply official patch commit 029d9d203d9e4ae96b3e59d552fa7395cc1e5071. If not immediately possible, disable REST and SOAP APIs entirely or restrict access to them at the network level.

Impact:

Any authenticated `REPORTER` can view any attachment from any private bugnote, including those created by DEVELOPER, MANAGER, or `ADMIN` users. This leaks confidential internal discussions, debugging logs, and security-relevant patches.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top