MantisBT CVE-2026-49280
MEDIUMSeverity by source
Network-reachable API, low complexity; PR:L because UPDATER role (default authenticated contributor) is required; integrity-only impact on issue status data.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
A MantisBT user having *$g_update_bug_threshold* (UPDATER by default) can change an Issue's Status via REST and SOAP API, even if the *$g_set_status_threshold* config is set to a higher level (DEVELOPER by default).
Impact
Unauthorized change in Issue workflow.
Patches
https://github.com/mantisbt/mantisbt/releases/tag/release-2.28.4
Workarounds
None
Resources
- https://mantisbt.org/bugs/view.php?id=37181
Credits
Mamdouh Mahfouz (@mamdouhmahfouz)
AnalysisAI
MantisBT's REST and SOAP APIs fail to enforce the $g_set_status_threshold authorization gate, allowing any authenticated user holding the UPDATER role (the default update permission) to change an issue's workflow status to values that should require DEVELOPER-level access or higher. The vulnerability is confirmed patched in release 2.28.4 with no public exploit or KEV listing. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid MantisBT account with at least the UPDATER access level on the target project (UPDATER is the default threshold for $g_update_bug_threshold, so this applies to all ordinary contributors unless the admin has raised that threshold). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector was provided by NVD or the vendor advisory, so scoring here is independently assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated MantisBT user assigned the default UPDATER role (e.g., a contractor or reporter with basic edit rights) sends a crafted REST or SOAP API request to change a bug's status from 'new' to 'resolved' or another DEVELOPER-gated state. Because the API handler did not verify the caller's permission against the $g_set_status_threshold, the status change succeeds without triggering an access-denied response. … |
| Remediation | Upgrade MantisBT to version 2.28.4, available at https://github.com/mantisbt/mantisbt/releases/tag/release-2.28.4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-m7ph-9558-mrx3