GHSA-3v2j-6fw9-f57c: MantisBT: REST and SOAP API Issue Update Accepts Unreleased Product Versions From Updaters
MantisBT versions prior to 2.28.4 contain a vulnerability in their REST and SOAP APIs that allows users with privileges below the _report_issues_for_unreleased_versions_threshold_ to assign unreleased product versions when updating issues. This behavior can lead to inconsistent or unauthorized assignment of product versions in issue tracking. A patch addressing this issue is available in version 2.28.4. No workarounds are documented.
AI Analysis
Technical Summary
The vulnerability in MantisBT affects versions before 2.28.4, where the REST and SOAP APIs permit users with lower privileges than the configured threshold to assign unreleased product versions during issue updates. This issue is tracked as CVE-2026-52882 and relates to CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability has moderate severity with a CVSS 4.0 vector indicating network attack vector, low complexity, and low privileges required. The vendor has released an official fix in version 2.28.4, as referenced in the commit https://github.com/mantisbt/mantisbt/commit/17072d4c322c85f7135ebec3417a6d90b525d12f. No known exploits are reported in the wild.
Potential Impact
Users with privileges below the intended threshold can assign unreleased product versions to issues, potentially causing data integrity issues or unauthorized version assignments within the MantisBT issue tracking system. There is no indication of direct code execution or data disclosure from this vulnerability.
Mitigation Recommendations
An official patch is available and should be applied by upgrading MantisBT to version 2.28.4 or later. No workarounds are documented, so applying the update is the recommended remediation.
GHSA-3v2j-6fw9-f57c: MantisBT: REST and SOAP API Issue Update Accepts Unreleased Product Versions From Updaters
Description
MantisBT versions prior to 2.28.4 contain a vulnerability in their REST and SOAP APIs that allows users with privileges below the _report_issues_for_unreleased_versions_threshold_ to assign unreleased product versions when updating issues. This behavior can lead to inconsistent or unauthorized assignment of product versions in issue tracking. A patch addressing this issue is available in version 2.28.4. No workarounds are documented.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in MantisBT affects versions before 2.28.4, where the REST and SOAP APIs permit users with lower privileges than the configured threshold to assign unreleased product versions during issue updates. This issue is tracked as CVE-2026-52882 and relates to CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability has moderate severity with a CVSS 4.0 vector indicating network attack vector, low complexity, and low privileges required. The vendor has released an official fix in version 2.28.4, as referenced in the commit https://github.com/mantisbt/mantisbt/commit/17072d4c322c85f7135ebec3417a6d90b525d12f. No known exploits are reported in the wild.
Potential Impact
Users with privileges below the intended threshold can assign unreleased product versions to issues, potentially causing data integrity issues or unauthorized version assignments within the MantisBT issue tracking system. There is no indication of direct code execution or data disclosure from this vulnerability.
Mitigation Recommendations
An official patch is available and should be applied by upgrading MantisBT to version 2.28.4 or later. No workarounds are documented, so applying the update is the recommended remediation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-3v2j-6fw9-f57c
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-52882"]
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a58b44368715ace43d6abe4
Added to database: 07/16/2026, 10:36:51 UTC
Last enriched: 07/16/2026, 11:22:47 UTC
Last updated: 07/17/2026, 00:41:19 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.