CVE-2026-42070

Description

The mc_issue_update() function in MantisBT allows users having *update_bug_threshold* access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. ### Impact 1. UPDATER can edit notes by DEVELOPER/MANAGER/ADMIN — bypassing the DEVELOPER threshold 2. UPDATER can change private notes to public — exposing confidential internal discussion 3. UPDATER can change public notes to private — hiding information from reporters/viewers ### Patches - 6e58fae4f22efdc3987f903c8ba2611de17a9435 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security This advisory's contents was largely copied from Tristan's well-written report.

How to fix CVE-2026-42070

To remediate CVE-2026-42070, upgrade the affected package to a fixed version below.

• —upgrade to 2.28.2 or later

Is CVE-2026-42070 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.28.2

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-42070
• PATCHgithub.com/mantisbt/mantisbt
• WEBgithub.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435
• WEBgithub.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6