GHSA-pq86-j2c2-47f6

Source

https://github.com/advisories/GHSA-pq86-j2c2-47f6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pq86-j2c2-47f6/GHSA-pq86-j2c2-47f6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pq86-j2c2-47f6

Aliases

CVE-2026-42070

Published

2026-05-11T19:39:31Z

Modified

2026-05-11T19:48:53.173758Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API

Details

The mcissueupdate() function in MantisBT allows users having updatebugthreshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mcissuenote_update() function.

Impact

UPDATER can edit notes by DEVELOPER/MANAGER/ADMIN — bypassing the DEVELOPER threshold
UPDATER can change private notes to public — exposing confidential internal discussion
UPDATER can change public notes to private — hiding information from reporters/viewers

Patches

6e58fae4f22efdc3987f903c8ba2611de17a9435

Workarounds

None

Credits

Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security

This advisory's contents was largely copied from Tristan's well-written report.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T19:39:31Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}

References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name: mantisbt/mantisbt
Purl: pkg:composer/mantisbt/mantisbt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.28.2

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.6.0

2.7.0

2.7.1

2.8.0

2.8.1

2.9.0

2.9.1

2.10.0

2.10.1

2.11.0

2.11.1

2.12.0

2.12.1

2.12.2

2.13.0

2.13.1

2.13.2

2.14.0

2.15.0

2.15.1

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.18.0

2.18.1

2.19.0

2.19.1

2.20.0

2.20.1

2.21.0

2.21.1

2.21.2

2.21.3

2.22.0

2.22.1

2.22.2

2.23.0

2.23.1

2.24.0

2.24.1

2.24.2

2.24.3

2.24.4

2.24.5

2.25.0

2.25.1

2.25.2

2.25.3

2.25.4

2.25.5

2.25.6

2.25.7

2.25.8

2.26.0

2.26.1

2.26.2

2.26.3

2.26.4

2.27.0

2.27.1

2.27.2

2.27.3

2.28.0

2.28.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pq86-j2c2-47f6/GHSA-pq86-j2c2-47f6.json"

last_known_affected_version_range

"<= 2.28.1"