CVE-2026-34744 Overview
CVE-2026-34744 affects Mantis Bug Tracker (MantisBT), an open source issue tracker used by development teams to manage software defects. The flaw permits authenticated users to list and download attachments they previously uploaded to an issue created by another user, even after that issue is marked private. The behavior bypasses read access revocation enforced by issue privacy controls. Versions 2.28.1 and earlier are affected, and the maintainers fixed the issue in version 2.82.2. The weakness is classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Authenticated users retain access to their own attachments on issues that have been made private, undermining confidentiality controls intended to revoke access.
Affected Products
- MantisBT versions 2.28.1 and prior
- Fixed in MantisBT version 2.82.2
- Self-hosted MantisBT deployments using attachment features
Discovery Timeline
- 2026-05-19 - CVE-2026-34744 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-34744
Vulnerability Analysis
The vulnerability resides in MantisBT's attachment access control logic. When an issue is created publicly and a user uploads an attachment, that user retains a reference to the attachment. If a project administrator or reporter subsequently changes the issue visibility to private, the application correctly restricts the issue page itself but fails to revoke the uploader's access to attachments they previously contributed.
The confidentiality impact is constrained because only attachments the requesting user personally uploaded remain accessible. The user cannot retrieve attachments contributed by other participants on the now-private issue. The flaw still represents a broken access control condition because the privacy state change does not propagate consistently across all attachment retrieval paths.
Root Cause
The root cause is incomplete authorization checks on attachment listing and download endpoints. The code path verifies whether the requesting user is the original uploader, but does not re-evaluate whether the parent issue's current visibility still grants that user read access. The fix in commit de7bdeec36de066235e38a77bf056917d951c84d adjusts the access check so the parent issue's privacy state is honored before returning attachment data.
Attack Vector
An attacker requires an authenticated, low-privilege account on the MantisBT instance. The attacker must have previously uploaded an attachment to an issue created by another user before that issue was marked private. After privacy revocation, the attacker can still enumerate and download those specific attachments through the standard attachment endpoints. No user interaction from the victim is required, and the request is performed over the network against the application's HTTP interface.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-rmp5-5jj7-gmvf and the MantisBT Bug Report #36977.
Detection Methods for CVE-2026-34744
Indicators of Compromise
- HTTP GET requests to file_download.php or attachment listing endpoints referencing issues whose view_state is set to private
- Repeated attachment access by users who are no longer authorized to view the parent issue
- Attachment download events where the requesting user is not the issue reporter, handler, or project member with private-issue access
Detection Strategies
- Correlate MantisBT web access logs with the application's mantis_bug_table.view_state field to identify downloads against private issues by non-authorized accounts
- Audit the mantis_bug_file_table for attachments whose parent issue is private and whose uploader is no longer a project member
- Monitor for anomalous attachment retrieval patterns following bulk visibility changes on issues
Monitoring Recommendations
- Enable verbose access logging on the MantisBT web server and forward logs to a centralized analytics platform for review
- Alert on attachment downloads occurring after an issue's privacy state has been changed within a defined time window
- Review project membership changes alongside attachment access events to detect access drift
How to Mitigate CVE-2026-34744
Immediate Actions Required
- Upgrade MantisBT to version 2.82.2 or later, which contains the access control fix
- Inventory all running MantisBT instances, including internal and partner-facing deployments, to ensure full coverage
- Review historical attachment access logs for evidence of access to private-issue attachments by former contributors
Patch Information
The maintainers fixed the issue in MantisBT 2.82.2. The corrective change is published in commit de7bdeec36de066235e38a77bf056917d951c84d. Administrators should apply the upstream release rather than backporting the patch manually to retain support for future security updates.
Workarounds
- Restrict authenticated access to MantisBT to trusted users only until the upgrade is applied
- Where possible, remove attachments from issues whose visibility has been changed to private and re-upload them under the current authorized members
- Limit user roles so that only vetted accounts can upload attachments on shared projects
# Verify MantisBT version after upgrade
grep "MANTIS_VERSION" /var/www/mantisbt/core/constant_inc.php
# Expected output should reference version 2.82.2 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
