Auth Bypass in MantisBT 2.23.0-2.28.1 via REST/Soap API File Visibility
CVE-2026-42071 Published on May 28, 2026
MantisBT: Private Bugnote Attachment Content Leak via REST API
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-42071 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-42071
Want to know whenever a new CVE is published for MantisBT? stack.watch will email you.
Affected Versions
mantisbt Version >= 2.23.0, < 2.28.2 is affected by CVE-2026-42071Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.