CVE-2026-34390
Privilege Escalation in MantisBT via Project User Management
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mantisbt | mantis_bug_tracker | to 2.28.2 (exc) |
| mantisbt | mantis_bug_tracker | 2.28.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows users with manager-level access to escalate their privileges to project-level administrator within projects they manage. However, this escalation does not grant global administrative privileges or access to sensitive global functions such as managing users or projects across the entire MantisBT instance.
Given the limited scope of the privilege escalation and the absence of access to global administrative functions or sensitive data, the impact on compliance with common standards and regulations like GDPR or HIPAA is likely minimal.
Nevertheless, any unauthorized privilege escalation could potentially increase risk if sensitive project data is involved, so organizations should consider this vulnerability in their risk assessments and apply the fixed version 2.28.2 to mitigate it.
Can you explain this vulnerability to me?
Mantis Bug Tracker (MantisBT) versions 2.28.1 and earlier have a privilege escalation vulnerability in the ProjectUsersAddCommand component (manage_proj_user_add.php). Users with manage_project_threshold access (typically managers) can exploit insufficient access control checks to grant project-level administrator access to any user, including themselves, within any project they manage.
Normally, the project-user add form limits selectable access levels to the actor's own project role or below, but the backend handler accepts a forged higher access_level value and applies it.
The impact is limited because project-level administrator access is not significantly more powerful than manager access and does not grant global administrative privileges such as deleting projects or managing users, plugins, or custom fields.
This vulnerability was fixed in MantisBT version 2.28.2.
How can this vulnerability impact me? :
This vulnerability allows a user with manager-level access in a project to escalate their privileges to project-level administrator within that project.
While the escalation does not grant global administrative rights or the ability to delete projects, it could allow the user to perform actions reserved for project administrators, potentially affecting project management and control.
The overall impact is considered slight because the difference between manager and project-level administrator roles is minimal in this context.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been fixed in Mantis Bug Tracker version 2.28.2. The immediate step to mitigate this vulnerability is to upgrade your MantisBT installation to version 2.28.2 or later.