CVE-2026-34579 mantisbt CVE debrief

Who should care

Organizations using MantisBT for issue tracking with private/confidential issues, particularly those handling security vulnerabilities, proprietary information, or sensitive customer data. Security teams responsible for access control validation and developers maintaining MantisBT installations.

Technical summary

The vulnerability exists in bug_monitor_add.php where insufficient authorization validation allows project-level users to establish monitor relationships with private issues. The application returns an Access Denied error message while still persisting the monitor relationship to the database. This creates a split-state condition where the UI indicates failure but the backend state reflects success. The monitor relationship triggers email notifications for issue updates, transmitting private metadata and content to unauthorized recipients without requiring direct issue access.

Defensive priority

medium

Recommended defensive actions

• Upgrade MantisBT to version 2.28.2 or later to remediate this vulnerability
• Review existing monitor relationships for private issues to identify potential unauthorized access
• Implement network-level monitoring for unusual POST requests to bug_monitor_add.php
• Audit email notification logs for unexpected recipients of private issue updates
• Verify access controls on private issues are properly enforced across all API endpoints
• Consider implementing additional authorization checks before processing monitor addition requests

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-ggw7-9675-6v4v with associated commit 0a93267deba445fb9d15250c16e6fdb1246ffa65. MantisBT bug tracker reference #36975 documents the issue. CVSS 4.0 vector indicates network attack vector with low attack complexity and low confidentiality impact to vulnerable component.

Official resources