Authorization Bypass in Mantis Bug Tracker (MantisBT)
CVE-2026-34579

5.3MEDIUM

Key Information:

Vendor

Mantisbt

Status
Mantisbt
Vendor
CVE Published:
19 May 2026

What is CVE-2026-34579?

Mantis Bug Tracker, an open source issue tracking system, is prone to an authorization bypass vulnerability through its private issue monitoring feature. This flaw allows a user with project-level access to submit a crafted POST request to bug_monitor_add.php, thereby gaining the ability to monitor private issues they are normally restricted from accessing. Although an Access Denied error message is shown, the application erroneously allows the creation of a monitor relationship. Users affected by this vulnerability can receive email notifications about updates to these private issues, inadvertently exposing sensitive metadata and content, though direct access to those issues remains blocked. The vulnerability has been remedied in version 2.28.2.

Affected Version(s)

mantisbt < 2.28.2

References

https://github.com/mantisbt/mantisbt/security/advisories/...
x_refsource_CONFIRM
https://github.com/mantisbt/mantisbt/commit/0a93267deba44...
x_refsource_MISC
https://mantisbt.org/bugs/view.php?id=36975
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.