CVE-2026-34970 mantisbt CVE debrief

Who should care

Organizations running MantisBT 2.28.1 or earlier with private issue workflows, particularly those with dynamic team memberships or frequent permission changes. Security teams concerned with data residency and access revocation completeness. Compliance officers evaluating issue tracker access control implementations.

Technical summary

The vulnerability exists in MantisBT's access control logic for bugnote revisions. When a user loses access to a private issue (e.g., through permission revocation, project membership changes, or issue visibility updates), the system fails to propagate this access revocation to the bugnote Revisions page. The bugnote author retains the ability to view historical revisions even when they can no longer access the parent issue. This is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and low confidentiality impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade MantisBT to version 2.28.2 or later to remediate this access control flaw.
• Review bugnote revision access logs for unauthorized access patterns by former issue viewers.
• Audit private issue permission changes to identify users who may have retained unintended access to historical revision data.
• Verify that bugnote revision pages enforce parent issue access controls in custom deployments or forks.

Evidence notes

Official GitHub Security Advisory GHSA-crmx-4p49-46m2 confirms the vulnerability and fix. Commit 71df1f67e05b2050cd4bd87839e6cc13747cf03f contains the remediation. MantisBT issue #36978 tracks the bug report.

Official resources