CVE-2026-34744

UNKNOWN 0.0

MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

11th

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.

CWE	CWE-200 CWE-281
Vendor	mantisbt
Product	mantisbt
Published	May 19, 2026
Last Updated	May 20, 2026

Stay Ahead of the Next One

Get instant alerts for mantisbt mantisbt

Be the first to know when new unknown vulnerabilities affecting mantisbt mantisbt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

mantisbt / mantisbt

< 2.28.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf github.com: https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d mantisbt.org: https://mantisbt.org/bugs/view.php?id=36977