View Issue Details

IDProjectCategoryView StatusLast Update
0037065mantisbtsecuritypublic2026-07-15 08:07
Reporterninjasec Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.28.1 
Target Version2.28.4Fixed in Version2.28.4 
Summary0037065: CVE-2026-52882: REST and SOAP API Issue Update Accepts Unreleased Product Versions From Updaters
Description

The REST issue-update endpoint PATCH /api/rest/issues/{id} allows an UPDATER-level user to set an unreleased product version that is absent from the normal web update form.

From the MantisBT UI, unreleased versions are only available if the user has $g_report_issues_for_unreleased_versions_threshold (DEVELOPER by default).

The same issue is also present from the SOAP API (see duplicate issue #37068 for details), since both APIs rely on mc_issue_update()..

Steps To Reproduce

Control request:
GET /bug_update_page.php?bug_id=4 as developer at UPDATER (40)

Observed form fragment:

<select tabindex="10" id="version" name="version" class="input-sm"><option value=""> </option></select>

REST request:

PATCH /api/rest/issues/4 HTTP/1.1
Content-Type: application/json

{
  "version": { "name": "UNREL-UPD-2026" }
}

Observed response:

HTTP/1.1 200 Issue with id 4 Updated

Observed response body excerpt:

"version":{"id":"5","name":"UNREL-UPD-2026"}
Additional Information

Severity:
Medium (authorization bypass)

Type:
Server-side authorization flaw

Affected code:
api/rest/restcore/issues_rest.php (lines 407-441)
api/soap/mc_issue_api.php (shared mc_issue_update() path)

Why it happens:
rest_issue_update() delegates directly to mc_issue_update():

$t_result = mc_issue_update( /* username */ '', /* password */ '', $t_issue_id, $t_issue );

And mc_issue_update() resolves the supplied version by existence only:

$fn_get_version_id = function( string $p_field, array $p_issue, int $p_project_id ): int {
    if( !isset( $p_issue[$p_field] ) ) {
        return 0;
    }
    return mci_get_version_id( $p_issue[$p_field], $p_project_id, $p_field );
};

Impact:
Users below report_issues_for_unreleased_versions_threshold can assign hidden
unreleased product versions through REST updates.

TagsNo tags attached.

Activities

dregad

dregad

2026-05-30 09:20

developer   ~0071194

Last edited: 2026-05-30 09:21

Bug is confirmed.

The problem is also present in bug_update.php - if the user sends a crafted request with an unreleased version, the bug is updated regardless of $g_report_issues_for_unreleased_versions_threshold.

Advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-3v2j-6fw9-f57c created, CVE request sent.

dregad

dregad

2026-05-30 09:44

developer   ~0071195

PR for review https://github.com/mantisbt/mantisbt-private/pull/17

@ninjasec your feedback would be appreciated.

dregad

dregad

2026-06-27 11:21

developer   ~0071261

CVE-2026-52882 assigned (on 09-Jun-2026).

Related Changesets

MantisBT: master-2.28 6b248809

2026-05-30 09:22

dregad


Details Diff
New version_is_released() API function

Also added VersionData::is_released() method.

Issue 0037065
Affected Issues
0037065
mod - core/version_api.php Diff File

MantisBT: master-2.28 016f1055

2026-05-30 09:29

dregad


Details Diff
Prevent unauthorized update of `version` field

Users below report_issues_for_unreleased_versions_threshold should not
be allowed to set an Issue's product version to an unreleased one.

Added the necessary access check to prevent that.

Fixes 0037065, GHSA-3v2j-6fw9-f57c
Affected Issues
0037065
mod - api/soap/mc_issue_api.php Diff File

MantisBT: master-2.28 0ac87c39

2026-05-30 09:35

dregad


Details Diff
Prevent unauthorized update of `version` field (2)

Users below report_issues_for_unreleased_versions_threshold should not
be allowed to set an Issue's product version to an unreleased one.

This addresses the problem in the MantisBT UI - users could send a
crafted request to bug_report.php or bug_update.php

Added the necessary access checks to prevent that.

Fixes 0037065, GHSA-3v2j-6fw9-f57c
Affected Issues
0037065
mod - bug_update.php Diff File
mod - core/commands/IssueAddCommand.php Diff File

MantisBT: master-2.28 17072d4c

2026-06-27 12:50

dregad


Details Diff
Prevent unauthorized update of version field

Fixes 0037065, CVE-2026-52882
Affected Issues
0037065
mod - api/soap/mc_issue_api.php Diff File
mod - bug_update.php Diff File
mod - core/commands/IssueAddCommand.php Diff File
mod - core/version_api.php Diff File