Executive Summary

CVE-2026-34970 is a vulnerability in Mantis Bug Tracker (MantisBT) versions 2.28.1 and earlier where a bugnote author can access the bugnote's Revisions page even after losing access to the parent private issue.

This happens because the function controlling access to bugnote revisions allows the bugnote reporter to view revisions regardless of whether they still have permission to view the parent issue.

As a result, unauthorized users can see private issue metadata such as the issue ID and summary by directly accessing the revision page via the bugnote ID.

The vulnerability was fixed in MantisBT version 2.28.2 by adding an additional access check to ensure users can only view bugnote revisions if they also have access to the parent issue.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private issue metadata, including the issue ID and summary, even after a user’s access to the parent issue has been revoked.

Such information leakage can expose sensitive project details to unauthorized users, potentially compromising confidentiality.

Since the vulnerability requires only low privileges and has low attack complexity, it can be exploited remotely without user interaction.

However, the full content of the bugnote revisions remains secure, limiting the scope of the information exposed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to the bugnote revisions page in MantisBT versions 2.28.1 and earlier, allowing disclosure of private issue metadata. Detection involves verifying if users can access bugnote revisions without having access to the parent private issue.

One way to detect this is to attempt accessing the bugnote revisions page directly using a bugnote ID for a private issue from a user account that should no longer have access to the parent issue. If access is granted, the system is vulnerable.

Since this is an application-level access control issue, network-level detection commands are not directly applicable. However, you can check the MantisBT version installed on your system to determine if it is vulnerable.

• Check MantisBT version via command line (example):
• grep 'MantisBT version' /path/to/mantisbt/README or VERSION file
• Alternatively, check the version from the MantisBT web interface's About page.

If the version is 2.28.1 or earlier, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade MantisBT to version 2.28.2 or later, where the vulnerability has been fixed.

The fix ensures that users can only view bugnote revisions if they also have access to the parent issue, preventing unauthorized disclosure of private issue metadata.

If immediate upgrade is not possible, restrict access to the bugnote revisions page by applying additional access controls or temporarily disabling access to this feature for users who have lost access to private issues.

Review user permissions and ensure that users who should not have access to private issues are properly restricted.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability in MantisBT allows unauthorized disclosure of private issue metadata, such as issue ID and summary, to users who have lost access to the parent private issue. Such unauthorized exposure of sensitive information could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive data.

By leaking private issue details to unauthorized users, the vulnerability increases the risk of sensitive information exposure, which may violate confidentiality and data privacy requirements mandated by these standards.

The issue has been fixed in version 2.28.2 by ensuring that users can only view bugnote revisions if they also have access to the parent issue, thereby restoring proper access control and helping maintain compliance.

Useful 0 Not Useful 0