Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2.
Published: 2026-05-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Mantis Bug Tracker allows an authenticated user to upload attachments to private issues via the REST API that they are not authorized to access. This flaw is an improper access control issue (CWE-284) and enables an attacker to place arbitrary files on issues outside their permissions, potentially exposing confidential data or facilitating malicious payload distribution.

Affected Systems

Mantis Bug Tracker remains affected in all releases up to and including version 2.28.1. The product identifier is mantisbt:mantisbt and the vulnerability has been fixed in version 2.28.2.

Risk and Exploitability

The CVSS score for this vulnerability is 4.3, indicating moderate severity, and no EPSS score is available. It is not listed in the CISA KEV catalog. The exploitation environment requires authentication and access to the REST API. An attacker with legitimate credentials could leverage the REST endpoint to create unauthorized attachments on private issues. The lack of broader exploitation evidence suggests that immediate remediation is prudent, even though the probability of widespread exploitation remains low.

Generated by OpenCVE AI on May 20, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mantis Bug Tracker to version 2.28.2 or later
  • If upgrading is not possible, restrict or disable REST API access for untrusted users
  • Review and tighten role‑based permissions to ensure users cannot upload to private issues

Generated by OpenCVE AI on May 20, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h4x5-gvx6-3rwc MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API
History

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Tue, 19 May 2026 23:30:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2.
Title MantisBT allows unauthorized users to upload attachments to restricted issues via REST API
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T15:09:04.024Z

Reserved: 2026-03-30T19:17:10.225Z

Link: CVE-2026-34754

cve-icon Vulnrichment

Updated: 2026-05-20T15:07:30.902Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T00:16:34.857

Modified: 2026-05-20T14:06:33.993

Link: CVE-2026-34754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T00:30:17Z

Weaknesses