Executive Summary

CVE-2026-34754 is an authorization bypass vulnerability in Mantis Bug Tracker (MantisBT) versions 2.28.1 and earlier. It allows an authenticated user to upload attachments to private issues they are not authorized to access.

The root cause is that the system checks upload permissions at the project level rather than the issue level for existing issues. This means users with project-level upload rights can attach files to any issue in that project, even if they cannot view the issue itself.

The vulnerability was fixed in version 2.28.2 by modifying the permission checks to enforce issue-level access control before allowing attachment uploads.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to upload attachments to private issues that they should not have access to.

Such unauthorized uploads could lead to information leakage, data tampering, or injection of malicious files into private issues, potentially compromising the integrity and confidentiality of sensitive project data.

Since the vulnerability requires only authenticated access with project-level upload permissions, it lowers the barrier for attackers within the organization to misuse the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to upload attachments to private issues without having the appropriate issue-level permissions. Specifically, an authenticated user with project-level upload permissions but without access to certain private issues could try to upload a file to those issues via the REST API.

To detect exploitation attempts or verify if your system is vulnerable, you can monitor REST API requests that upload attachments to issues and check if users are able to upload files to issues they should not have access to.

A practical approach to test this on your system is to use a REST client or command line tool like curl to attempt uploading an attachment to a private issue as a low-privileged user.

• Example curl command to test upload to an issue (replace placeholders accordingly):
• curl -u username:password -F '[email protected]' https://your-mantisbt-instance/api/rest/issues/{issue_id}/attachments

If the upload succeeds for a private issue where the user should not have access, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to upgrade Mantis Bug Tracker to version 2.28.2 or later, where this vulnerability has been fixed.

No workarounds are available, so applying the official patch or upgrading is essential to prevent unauthorized attachment uploads to private issues.

Additionally, review and restrict project-level upload permissions to minimize the risk until the upgrade can be applied.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users to upload attachments to private issues they are not authorized to access, which constitutes an authorization bypass and improper access control.

Such unauthorized access to private data could potentially lead to exposure or modification of sensitive information, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict access controls and protection of private or sensitive data.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Useful 0 Not Useful 0