Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content. This issue has been fixed in version 2.28.2.
Published: 2026-05-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mantis Bug Tracker allows a project‑level user to add themselves as a monitor to a private issue through a crafted POST request to bug_monitor_add.php. Although the application displays an Access Denied error, the request succeeds, creating an unauthorized monitoring relationship. The user cannot view the private issue directly but receives email notifications that reveal the issue’s metadata and content, resulting in unintended information disclosure.

Affected Systems

The vulnerability affects the MantisBugTracker product, specifically versions 2.28.1 and earlier.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. Exploitation requires a user with legitimate project‑level access and the ability to send a crafted POST request to the web interface of the vulnerable MantisBT instance. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog, suggesting no known widespread exploitation at this time. The primary risk is the disclosure of private issue details via email notifications, which could lead to sensitive information leakage.

Generated by OpenCVE AI on May 19, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to MantisBT version 2.28.2 or later to apply the vendor fix.
  • If an upgrade is not immediately feasible, reconfigure the system to disable monitoring of private issues for users with only project‑level access.
  • Configure access controls so that only administrators can add monitors to private issues, thereby preventing the creation of unauthorized monitoring relationships.

Generated by OpenCVE AI on May 19, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ggw7-9675-6v4v MantisBT has an authorization bypass in private issue monitoring
History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Tue, 19 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content. This issue has been fixed in version 2.28.2.
Title MantisBT has an authorization bypass via private issue monitoring
Weaknesses CWE-200
CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T15:45:51.694Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34579

cve-icon Vulnrichment

Updated: 2026-05-20T14:36:00.909Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T23:16:57.137

Modified: 2026-05-20T14:06:33.993

Link: CVE-2026-34579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T23:30:05Z

Weaknesses