Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access level (manager by default) to grant project-level administrator access to any user (including themselves) in any Project they have manager rights in. The normal project-user add form restricts the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. The consequences of the privilege escalation are slight, as having administrator access at Project level is effectively not very different from being manager, and it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. This issue has been fixed in version 2.28.2.
Published: 2026-05-19
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from missing access‑control checks in MantisBT’s ProjectUsersAddCommand module. A user with the manage_project_threshold role (managers by default) can craft a request that assigns the administrator access level to any user in any project where they hold manager rights. Although this grants project‑level administrator privileges rather than global system rights, it still elevates the user’s authority within that project and may allow operations that managers would normally perform. This is a classic privilege‑escalation flaw (CWE‑284).

Affected Systems

The flaw affects the open‑source Mantis Bug Tracker from the mantisbt:mantisbt vendor. All releases up to and including version 2.28.1 are vulnerable. The issue was resolved starting with version 2.28.2. Users running earlier releases are affected.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk. No EPSS value is available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector involves a web‑based request to the project‑user‑add handler; an authenticated manager can submit a forged access_level value. Because the flaw requires only existing managerial privileges, it is potentially exploitable by any manager who chooses to abuse it. This risk is moderate but still actionable.

Generated by OpenCVE AI on May 19, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MantisBT to version 2.28.2 or later to eliminate the faulty access‑control check.
  • After updating, review project role assignments to confirm no managers have been granted administrator rights in their projects.
  • Enable logging or monitoring of role‑change events to detect any future misuse of project‑level administrator privileges.

Generated by OpenCVE AI on May 19, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-frf7-jhp9-jxm6 MantisBT Vulnerable to Privilege Escalation from Manager to Administrator
History

Tue, 19 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Tue, 19 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access level (manager by default) to grant project-level administrator access to any user (including themselves) in any Project they have manager rights in. The normal project-user add form restricts the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. The consequences of the privilege escalation are slight, as having administrator access at Project level is effectively not very different from being manager, and it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. This issue has been fixed in version 2.28.2.
Title MantisBT: Privilege Escalation from Manager to Administrator
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T21:54:26.043Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34390

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T22:16:37.807

Modified: 2026-05-19T22:16:37.807

Link: CVE-2026-34390

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T00:00:16Z

Weaknesses