CVE-2026-34744 | THREATINT

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.

PUBLISHED Reserved 2026-03-30 | Published 2026-05-19 | Updated 2026-05-20 | Assigner GitHub_M

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-281: Improper Preservation of Permissions

Product status

< 2.28.2

affected

References

github.com/...ntisbt/security/advisories/GHSA-rmp5-5jj7-gmvf

github.com/...ommit/de7bdeec36de066235e38a77bf056917d951c84d

mantisbt.org/bugs/view.php?id=36977

cve.org (CVE-2026-34744)

nvd.nist.gov (CVE-2026-34744)

Download JSON