CVE-2026-34744
MantisBT Attachment Access Bypass in Private Issues
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mantisbt | mantisbt | to 2.82.2 (exc) |
| mantisbt | mantisbt | 2.82.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-281 | The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation.
To detect this vulnerability on your system, you can attempt to access attachments from private issues that you did not create but to which you previously uploaded attachments.
Since this is an authorization bypass issue in Mantis Bug Tracker versions 2.28.1 and prior, detection involves verifying whether users can still access their own attachments from private issues they no longer have access to.
There are no specific commands provided in the available resources to detect this vulnerability on your network or system.
Can you explain this vulnerability to me?
This vulnerability affects Mantis Bug Tracker (MantisBT) versions 2.28.1 and earlier. It allows a user to list and download their own attachments from an issue created by another user even after that issue has been made private. This means that the system does not properly revoke read access to these attachments, allowing continued access despite the privacy setting.
However, the confidentiality loss is minimal because users can only access attachments they themselves previously uploaded.
The issue has been fixed in version 2.82.2.
How can this vulnerability impact me? :
The impact of this vulnerability is a minimal loss of confidentiality. Users can still access their own attachments from private issues created by others, which should have been restricted.
This could potentially expose some information that was intended to be private, but only the attachments uploaded by the user themselves remain accessible.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Mantis Bug Tracker to version 2.82.2 or later, where the issue has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Mantis Bug Tracker allows users to access and download their own attachments from issues that have become private, bypassing read access revocation. However, the loss of confidentiality is minimal because only attachments previously uploaded by the user themselves remain accessible.
Given this limited exposure, the impact on compliance with common standards and regulations such as GDPR or HIPAA is likely minimal, as the confidentiality breach does not extend to other users' data or sensitive information beyond the user's own attachments.