CVE-2026-34579 Overview
CVE-2026-34579 is an authorization bypass vulnerability in Mantis Bug Tracker (MantisBT), an open source issue tracking system. Versions 2.28.1 and prior fail to enforce access controls when handling private issue monitoring requests. An authenticated user with project-level access can submit a crafted POST request to bug_monitor_add.php and add themselves as a monitor on a private issue they should not be able to view. The application surfaces an Access Denied error but still creates the monitor relationship server-side. The attacker then receives email notifications containing the private issue's metadata and content. MantisBT version 2.28.2 contains the fix.
Critical Impact
Authenticated users can subscribe to private issue notifications and receive disclosure of restricted issue content via email, despite direct web access remaining blocked.
Affected Products
- Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior
- MantisBT private issue monitoring component (bug_monitor_add.php)
- MantisBT core/commands/MonitorAddCommand.php
Discovery Timeline
- 2026-05-19 - CVE-2026-34579 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-34579
Vulnerability Analysis
The flaw is an authorization bypass classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor. MantisBT correctly blocks direct view requests for private issues, but the monitor-add command path does not perform the same access check before persisting the monitor relationship. The user interface displays an Access Denied message, masking the fact that the backend operation succeeded. Once subscribed, the attacker becomes a recipient of every notification email generated for the issue. Those notifications include issue summaries, status changes, and note content, leading to ongoing disclosure of restricted data.
Root Cause
The MonitorAddCommand handler did not validate whether the requesting user could access the target issue before adding the monitor record. The access-control decision was made in the presentation layer rather than enforced in the command itself. As a result, a POST to bug_monitor_add.php referencing a private issue ID bypassed the intended authorization boundary even though the response page indicated denial.
Attack Vector
Exploitation requires network access to the MantisBT instance and a valid user account with project-level access. The attacker enumerates or guesses private issue identifiers within reachable projects and submits a crafted POST request to bug_monitor_add.php containing the target issue ID. The server creates the monitor relationship and begins delivering notification emails to the attacker's registered address.
# You should have received a copy of the GNU General Public License
# along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
+/**
+ * @noinspection PhpUnhandledExceptionInspection
+ */
+
require_api( 'authentication_api.php' );
require_api( 'bug_api.php' );
require_api( 'constant_inc.php' );
Source: GitHub Commit 0a93267 - patch in core/commands/MonitorAddCommand.php enforces that users can only monitor private issues they are authorized to access.
Detection Methods for CVE-2026-34579
Indicators of Compromise
- POST requests to bug_monitor_add.php referencing issue IDs flagged as private in the MantisBT database.
- New rows in the mantis_bug_monitor_table for private issues where the monitoring user lacks corresponding view permissions.
- Outbound notification emails sent to users whose access level does not match the issue's view-state.
Detection Strategies
- Correlate web server access logs for bug_monitor_add.php requests against issue privacy state and the requesting user's effective permissions.
- Audit MantisBT's monitor table periodically and flag entries where the monitor lacks read access to the associated bug.
- Alert on HTTP 200 or redirect responses to monitor-add requests that immediately follow an Access Denied page render for the same user and issue.
Monitoring Recommendations
- Enable MantisBT audit logging and forward application logs to a centralized log platform for review.
- Track email notification recipients per private issue and compare against the project's authorized member list.
- Baseline normal monitor-add activity per user and alert on unusual volume targeting private issue IDs.
How to Mitigate CVE-2026-34579
Immediate Actions Required
- Upgrade MantisBT to version 2.28.2 or later, which includes the access check in MonitorAddCommand.
- Review the mantis_bug_monitor_table for entries on private issues and remove any monitor relationships for users without view access.
- Rotate or restrict accounts that show suspicious monitor-add activity against private issues.
Patch Information
The fix is published in MantisBT 2.28.2 and tracked in GitHub Security Advisory GHSA-ggw7-9675-6v4v. The code change is in commit 0a93267, which adds access validation to core/commands/MonitorAddCommand.php. Additional context is available in MantisBT Bug Report #36975.
Workarounds
- Restrict project membership and reduce the number of users with project-level access where private issues exist.
- Temporarily disable the issue monitoring feature for untrusted user roles via MantisBT permission thresholds.
- Periodically purge unexpected monitor records on private issues until the upgrade is applied.
# Verify installed MantisBT version and upgrade
grep "MANTIS_VERSION" core/constant_inc.php
# Expected after patch: define( 'MANTIS_VERSION', '2.28.2' );
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
