Vulnerability-Lookup

GHSA-RMP5-5JJ7-GMVF

Vulnerability from github – Published: 2026-05-11 19:32 – Updated: 2026-05-11 19:32

Summary

MantisBT has an authorization bypass that allows reading attachments after losing access to a private issue

Details

MantisBT permits a user to list and download their own attachments from an Issue created by another user, even after that Issue becomes private and direct access to it is denied.

Impact

The loss of confidentiality caused by this vulnerability is minimal, considering that only the attachments that were previously uploaded by the user themselves remains accessible.

Patches

de7bdeec36de066235e38a77bf056917d951c84d

Workarounds

None.

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

Severity ?

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.28.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "mantisbt/mantisbt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.28.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34744"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T19:32:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "MantisBT permits a user to list and download their own attachments from an Issue created by another user, even after that Issue becomes private and direct access to it is denied.\n\n### Impact\nThe loss of confidentiality caused by this vulnerability is minimal, considering that only the attachments that were previously uploaded by the user themselves remains accessible.\n\n### Patches\n- de7bdeec36de066235e38a77bf056917d951c84d\n\n### Workarounds\nNone.\n\n### Credits\n\nThanks to Vishal Shukla for discovering and responsibly reporting the issue.",
  "id": "GHSA-rmp5-5jj7-gmvf",
  "modified": "2026-05-11T19:32:36Z",
  "published": "2026-05-11T19:32:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mantisbt/mantisbt"
    },
    {
      "type": "WEB",
      "url": "https://mantisbt.org/bugs/view.php?id=36977"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MantisBT has an authorization bypass that allows reading attachments after losing access to a private issue"
}

CVE-2026-34744 (GCVE-0-2026-34744)

Vulnerability from cvelistv5 – Published: 2026-05-19 22:45 – Updated: 2026-05-20 17:19

Title

MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues

Summary

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.

Severity ?

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-281 - Improper Preservation of Permissions

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/mantisbt/mantisbt/security/adv…	x_refsource_CONFIRM
https://github.com/mantisbt/mantisbt/commit/de7bd…	x_refsource_MISC
https://mantisbt.org/bugs/view.php?id=36977	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
mantisbt	mantisbt	Affected: < 2.28.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34744",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T17:19:00.457408Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T17:19:23.248Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mantisbt",
          "vendor": "mantisbt",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.28.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-281",
              "description": "CWE-281: Improper Preservation of Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-19T22:45:35.012Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf"
        },
        {
          "name": "https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d"
        },
        {
          "name": "https://mantisbt.org/bugs/view.php?id=36977",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mantisbt.org/bugs/view.php?id=36977"
        }
      ],
      "source": {
        "advisory": "GHSA-rmp5-5jj7-gmvf",
        "discovery": "UNKNOWN"
      },
      "title": "MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34744",
    "datePublished": "2026-05-19T22:45:35.012Z",
    "dateReserved": "2026-03-30T19:17:10.224Z",
    "dateUpdated": "2026-05-20T17:19:23.248Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted