CVE-2026-34744
Deferred Deferred - Pending Action
MantisBT Attachment Access Bypass in Private Issues

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: GitHub, Inc.

Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-34744
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mantisbt mantisbt to 2.82.2 (exc)
mantisbt mantisbt 2.82.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-281 The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Mantis Bug Tracker (MantisBT) versions 2.28.1 and earlier. It allows a user to list and download their own attachments from an issue created by another user even after that issue has been made private. This means that the system does not properly revoke read access to these attachments, allowing continued access despite the privacy setting.

However, the confidentiality loss is minimal because users can only access attachments they themselves previously uploaded.

The issue has been fixed in version 2.82.2.

Compliance Impact

The vulnerability in Mantis Bug Tracker allows users to access and download their own attachments from issues that have become private, bypassing read access revocation. However, the loss of confidentiality is minimal because only attachments previously uploaded by the user themselves remain accessible.

Given this limited exposure, the impact on compliance with common standards and regulations such as GDPR or HIPAA is likely minimal, as the confidentiality breach does not extend to other users' data or sensitive information beyond the user's own attachments.

Impact Analysis

The impact of this vulnerability is a minimal loss of confidentiality. Users can still access their own attachments from private issues created by others, which should have been restricted.

This could potentially expose some information that was intended to be private, but only the attachments uploaded by the user themselves remain accessible.

Mitigation Strategies

To mitigate this vulnerability, upgrade Mantis Bug Tracker to version 2.82.2 or later, where the issue has been fixed.

Detection Guidance

This vulnerability allows a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation.

To detect this vulnerability on your system, you can attempt to access attachments from private issues that you did not create but to which you previously uploaded attachments.

Since this is an authorization bypass issue in Mantis Bug Tracker versions 2.28.1 and prior, detection involves verifying whether users can still access their own attachments from private issues they no longer have access to.

There are no specific commands provided in the available resources to detect this vulnerability on your network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart