MantisBT allows unauthorized users to upload attachments to restricted issues via REST API
Summary
| CVE | CVE-2026-34754 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-20 00:16:34 UTC |
| Updated | 2026-05-20 14:06:33 UTC |
| Description | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2. |
Risk And Classification
Primary CVSS: v3.1 4.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.000280000 probability, percentile 0.083210000 (date 2026-05-27)
Problem Types: CWE-284 | CWE-284 CWE-284: Improper Access Control
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | CNA | DECLARED | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a627... | [email protected] | github.com | |
| mantisbt.org/bugs/view.php | [email protected] | mantisbt.org | |
| github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.