Privilege Escalation in Mantis Bug Tracker Affects User Permissions
CVE-2026-34390

5.1MEDIUM

Key Information:

Vendor

Mantisbt

Status
Mantisbt
Vendor
CVE Published:
19 May 2026

What is CVE-2026-34390?

The Mantis Bug Tracker application has a vulnerability that allows users with a manager access level to elevate their privileges and grant project-level administrator access to themselves or other users. This happens due to insufficient access control in the backend handler for project user management. Although this escalation might seem significant, the overall administrative capabilities remain limited, as it does not grant any additional privileges at the global instance level. This issue was resolved in version 2.28.2.

Affected Version(s)

mantisbt < 2.28.2

References

https://github.com/mantisbt/mantisbt/security/advisories/...
x_refsource_CONFIRM
https://github.com/mantisbt/mantisbt/commit/69e0180f180ed...
x_refsource_MISC
https://mantisbt.org/bugs/view.php?id=36995
x_refsource_MISC

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.