CVE-2026-42071: MantisBT has a Private Bugnote Attachment Content Leak via REST API

A missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET…

7.5CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-42071
Vendor	composer
Affected Product	mantisbt/mantisbt
Vulnerability Type	Vulnerability
CVSS Score	7.5 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Impact

• REPORTER (access level 25) can view file attachments that were uploaded to private bugnotes by DEVELOPER/MANAGER/ADMIN users

• Private bugnotes are intended for internal developer discussion; their attachments (logs, screenshots, patches) should be equally protected

• The web UI is NOT affected — it filters through bugnote_get_all_visible_bugnotes() first

Patches

• 029d9d203d9e4ae96b3e59d552fa7395cc1e5071

Workarounds

None

Credits

Thanks to the following security researchers f

🎯 Known Indicators of Compromise

{"type":"sha1","value":"029d9d203d9e4ae96b3e59d552fa7395cc1e5071","confidence_score":0.9,"first_seen":"2026-05-11","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-42071 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →