PatchSiren cyber security CVE debrief
CVE-2026-34754 mantisbt CVE debrief
Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior contain an improper access control vulnerability (CWE-284) that allows authenticated users to upload attachments to private issues they are not authorized to access. This represents a broken authorization boundary where the attachment upload functionality fails to validate whether the requesting user has legitimate access to the target issue before accepting file uploads. The vulnerability requires network access and valid user credentials, with low attack complexity and no user interaction needed. The confidentiality impact is none, but integrity impact is low as unauthorized users can modify issue content by adding attachments. The issue was reported through the MantisBT bug tracking system and has been resolved in version 2.28.2 via a security patch. Organizations running affected versions should prioritize upgrading to 2.28.2 or later to prevent unauthorized data modification in private issue trackers.
- Vendor
- mantisbt
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Organizations using MantisBT for issue tracking, particularly those relying on private issues for sensitive bug reports or security disclosures. Development teams, security operations centers, and system administrators responsible for MantisBT deployments should prioritize this patch to maintain data integrity and access control boundaries.
Technical summary
The vulnerability exists in MantisBT's attachment upload functionality, which fails to properly validate user authorization before allowing file attachments to be added to issues. An authenticated attacker can exploit this by targeting private issues they cannot otherwise view or modify, bypassing intended access restrictions. The attack vector is network-based with low complexity, requiring only valid user credentials. The security fix in version 2.28.2 adds proper authorization checks to the attachment upload process, ensuring users can only attach files to issues they are explicitly permitted to access.
Defensive priority
medium
Recommended defensive actions
- Upgrade MantisBT installations to version 2.28.2 or later to remediate the improper access control vulnerability
- Review access logs for unauthorized attachment uploads to private issues in affected versions prior to upgrade
- Validate that private issue access controls are functioning correctly after upgrading to 2.28.2
- Consider implementing additional authorization checks at the web application firewall or reverse proxy layer for attachment upload endpoints as a defense-in-depth measure
- Monitor for any anomalous attachment upload patterns that may indicate exploitation attempts
Evidence notes
Vulnerability description and affected versions sourced from official CVE record and NVD entry. Fix version 2.28.2 confirmed through GitHub security advisory and commit reference. CWE-284 classification provided by [email protected] source. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N indicates network-accessible, low-complexity attack requiring authenticated privileges with integrity impact only.
Official resources
2026-05-20T00:16:34.857Z