PT-2026-39874 · Mantisbt · Mantisbt
Published
2026-05-11
·
Updated
2026-05-19
·
CVE-2026-34390
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Mantis Bug Tracker (MantisBT) versions prior to 2.28.2
Description
Insufficient access control checks in the
ProjectUsersAddCommand function (used in 'manage proj user add.php' and the 'PUT /project/{id}/users' API endpoint) allow users with manage project threshold access level (typically managers) to grant project-level administrator access to any user, including themselves, within any project where they possess manager rights. While the user interface restricts selectable access levels to the actor's own role or lower, the backend handler accepts and processes forged higher access level values. This results in privilege escalation, although the impact is limited as project-level administrator access does not grant global administrative privileges, such as the ability to delete projects or manage users, plugins, and custom fields across the entire instance.Recommendations
Update to version 2.28.2.
Exploit
Fix
LPE
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mantisbt