Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionGitHub Advisory
The mc_issue_update() function in MantisBT allows users having *update_bug_threshold* access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users - bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function.
Impact
- UPDATER can edit notes by DEVELOPER/MANAGER/ADMIN - bypassing the DEVELOPER threshold
- UPDATER can change private notes to public - exposing confidential internal discussion
- UPDATER can change public notes to private - hiding information from reporters/viewers
Patches
- 6e58fae4f22efdc3987f903c8ba2611de17a9435
Workarounds
None
Credits
Thanks to the following security researchers for independently discovering and responsibly reporting the issue.
- Vishal Shukla
- Tristan Madani (@TristanInSec) from Talence Security
This advisory's contents was largely copied from Tristan's well-written report.
Analysis
The mc_issue_update() function in MantisBT allows users having *update_bug_threshold* access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users - bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function.
Impact
- UPDATER can edit notes by DEVELOPER/MANAGER/ADMIN - bypassing the DEVELOPER threshold
- UPDATER can change private notes to public - exposing confidential internal discussion
- UPDATER can change public notes to private - hiding information from reporters/viewers
Patches
- 6e58fae4f22efdc3987f903c8ba2611de17a9435
Workarounds
None
Credits
Thanks to the following security researchers for independently discovering and responsibly reporting the issue.
- Vishal Shukla
- Tristan Madani (@TristanInSec) from Talence Security
This advisory's contents was largely copied from Tristan's well-written report.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33026
GHSA-pq86-j2c2-47f6