PatchSiren cyber security CVE debrief
CVE-2026-34744 mantisbt CVE debrief
Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior contain an access control flaw where users retain the ability to list and download their own attachments from issues that have been made private by another user. This occurs despite the revocation of read access, resulting in a limited confidentiality breach. The vulnerability stems from improper authorization checks when a user attempts to access attachments they previously uploaded to an issue that subsequently changed visibility status. The impact is constrained: only attachments originally uploaded by the affected user remain accessible, not other users' attachments or issue content. The issue was resolved in version 2.82.2.
- Vendor
- mantisbt
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Organizations running MantisBT instances with multi-user collaboration workflows where issue visibility changes are common, particularly those handling sensitive attachments that require strict confidentiality controls when issues transition to private status.
Technical summary
The vulnerability exists in MantisBT's attachment access control logic. When a user uploads an attachment to an issue, the system records the uploader identity. If the issue creator later makes the issue private—revoking read access from other users—the attachment retrieval endpoint continues to permit the original uploader to list and download their attachments. The authorization check appears to validate uploader identity without concurrently verifying current issue visibility permissions. This represents an inconsistent application of access controls across related resources (issues and their attachments). The fix in version 2.82.2 likely adds a secondary authorization check that validates the requesting user's read access to the parent issue before serving attachment content, regardless of upload ownership.
Defensive priority
medium
Recommended defensive actions
- Upgrade MantisBT to version 2.82.2 or later to remediate this access control flaw
- Review attachment access logs for unauthorized downloads of user-uploaded attachments from subsequently privatized issues
- Audit issue visibility change workflows to ensure access revocation propagates to all associated resources
- Verify that private issue restrictions apply comprehensively to attachments regardless of original uploader
- Consider implementing additional authorization checks for attachment access that validate current issue permissions independent of upload ownership
Evidence notes
The vulnerability description indicates that attachment access controls are not properly synchronized with issue visibility changes. When an issue transitions to private status, the attachment retrieval mechanism continues to honor the original uploader's access rights without revalidating current issue permissions. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N) reflects network attack vector, low attack complexity, low privileges required, and low confidentiality impact with no integrity or availability impact.
Official resources
2026-05-19