CVE-2026-34744

Deferred Deferred - Pending Action

MantisBT Attachment Access Bypass in Private Issues

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: GitHub, Inc.

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-19

Last Modified

2026-05-19

Generated

2026-06-30

AI Q&A

2026-05-20

EPSS Evaluated

2026-06-28

NVD

CVE-2026-34744

Affected Vendors & Products

Vendor	Product	Version / Range
mantisbt	mantisbt	to 2.82.2 (exc)
mantisbt	mantisbt	2.82.2

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-200	The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-281	The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Attack-Flow Graph

Executive Summary

This vulnerability affects Mantis Bug Tracker (MantisBT) versions 2.28.1 and earlier. It allows a user to list and download their own attachments from an issue created by another user even after that issue has been made private. This means that the system does not properly revoke read access to these attachments, allowing continued access despite the privacy setting.

However, the confidentiality loss is minimal because users can only access attachments they themselves previously uploaded.

The issue has been fixed in version 2.82.2.

Impact Analysis

The impact of this vulnerability is a minimal loss of confidentiality. Users can still access their own attachments from private issues created by others, which should have been restricted.

This could potentially expose some information that was intended to be private, but only the attachments uploaded by the user themselves remain accessible.

Mitigation Strategies

To mitigate this vulnerability, upgrade Mantis Bug Tracker to version 2.82.2 or later, where the issue has been fixed.

Compliance Impact

The vulnerability in Mantis Bug Tracker allows users to access and download their own attachments from issues that have become private, bypassing read access revocation. However, the loss of confidentiality is minimal because only attachments previously uploaded by the user themselves remain accessible.

Given this limited exposure, the impact on compliance with common standards and regulations such as GDPR or HIPAA is likely minimal, as the confidentiality breach does not extend to other users' data or sensitive information beyond the user's own attachments.

Detection Guidance

This vulnerability allows a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation.

To detect this vulnerability on your system, you can attempt to access attachments from private issues that you did not create but to which you previously uploaded attachments.

Since this is an authorization bypass issue in Mantis Bug Tracker versions 2.28.1 and prior, detection involves verifying whether users can still access their own attachments from private issues they no longer have access to.

There are no specific commands provided in the available resources to detect this vulnerability on your network or system.

Hi! I’m here to help you understand CVE-2026-34744. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70