CVE-2026-34579

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker (MantisBT) versions prior to 2.28.2

Description An authorization bypass exists in the private issue monitoring feature. A user with project-level access can send a crafted POST request to the 'bug monitor add.php' endpoint to add themselves as a monitor for a private issue they are not authorized to access. Although the application returns an Access Denied error, the request is processed and a monitor relationship is established. While direct access to the private issue remains restricted, the user receives email notifications for updates, resulting in the disclosure of the private issue's metadata and content.

Recommendations Update to version 2.28.2.

Fix

Information Disclosure

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-863CWE-201

Related Identifiers

CVE-2026-34579

GHSA-GGW7-9675-6V4V

Affected Products

Mantisbt

CVE-2026-34579

Weakness Enumeration

Related Identifiers

Affected Products

References · 8