CVE-2026-34390 mantisbt CVE debrief

Who should care

MantisBT administrators and security teams managing on-premise or self-hosted MantisBT instances, particularly those with multiple project managers or delegated project administration responsibilities.

Technical summary

The vulnerability exists in manage_proj_user_add.php where the ProjectUsersAddCommand handler fails to properly validate the access_level parameter against the actor's own permissions. While the frontend form restricts selectable access levels, the backend accepts and processes forged higher values. This allows a manager (manage_project_threshold) to escalate any user to project administrator within their managed projects. The fix in 2.28.2 adds server-side enforcement of access level boundaries.

Defensive priority

medium

Recommended defensive actions

• Upgrade MantisBT to version 2.28.2 or later to remediate this vulnerability.
• Review project user access levels for any unauthorized elevation that may have occurred prior to patching.
• Implement principle of least privilege by restricting manage_project_threshold access to only necessary personnel.
• Monitor access logs for suspicious project user modifications, particularly access_level changes to administrator.
• Consider implementing additional application-layer access control validation for sensitive operations.

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-frf7-jhp9-jxm6 and MantisBT bug tracker entries. Fix commit 69e0180f180ed5acf48a8d281a73683a7bf32461 implements additional access control checks. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. CWE-284 (Improper Access Control) identified.

Official resources