GHSA-m7ph-9558-mrx3Medium

MantisBT: REST API unauthorized Issue status change

Published
July 15, 2026
Last Modified
July 15, 2026

🔗 CVE IDs covered (1)

📋 Description

A MantisBT user having $g_update_bug_threshold (UPDATER by default) can change an Issue's Status via REST and SOAP API, even if the $g_set_status_threshold config is set to a higher level (DEVELOPER by default).

Impact

Unauthorized change in Issue workflow.

Patches

https://github.com/mantisbt/mantisbt/releases/tag/release-2.28.4

Workarounds

None

Resources

  • https://mantisbt.org/bugs/view.php?id=37181

Credits

Mamdouh Mahfouz (@mamdouhmahfouz)

🎯 Affected products1

  • composer/mantisbt/mantisbt:>= 2.8.0, <= 2.28.3

🔗 References (4)