CVE-2026-34754 Overview
CVE-2026-34754 is a broken access control vulnerability in Mantis Bug Tracker (MantisBT), an open source issue tracking application. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private issues they are not authorized to view. The flaw stems from missing authorization checks on the attachment upload workflow, classified under [CWE-284] Improper Access Control. The issue was fixed in MantisBT version 2.28.2.
Critical Impact
Authenticated low-privilege users can write attachments to private issues outside their access scope, undermining confidentiality boundaries and the integrity of restricted bug reports.
Affected Products
- Mantis Bug Tracker (MantisBT) versions through 2.28.1
- MantisBT instances exposing authenticated user attachment workflows
- Self-hosted MantisBT deployments using private project or issue access controls
Discovery Timeline
- 2026-05-20 - CVE-2026-34754 published to the National Vulnerability Database (NVD)
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-34754
Vulnerability Analysis
The vulnerability resides in MantisBT's attachment upload handler. Authenticated users can target the internal identifier of a private issue and submit attachment data even when they lack view or update permissions on that issue. The server validates the user's authentication state but fails to verify whether the requesting account has authorization on the referenced issue before persisting the upload.
This access control gap permits an attacker with any valid MantisBT account to inject files into restricted issues. The impact is bounded to integrity of issue data, with no direct disclosure of existing private issue contents or denial of service. However, attackers can plant misleading evidence, distribute malicious files to privileged reviewers, or pollute restricted projects.
Root Cause
The root cause is missing authorization enforcement [CWE-284] in the attachment upload code path. The fix in the upstream commit reorganizes the access check so that the server validates the user's permission against the target issue before accepting attachment content. See the GitHub Security Advisory GHSA-h4x5-gvx6-3rwc and the upstream fix commit for the corrected logic.
Attack Vector
Exploitation is performed over the network against the MantisBT web interface. An attacker needs valid credentials on the target instance but does not need elevated privileges. The attacker submits a crafted attachment upload request that references the bug_id of a private issue they are not authorized to see. No user interaction is required. Additional technical context is available in the MantisBT bug report #36976.
Detection Methods for CVE-2026-34754
Indicators of Compromise
- Attachment records in mantis_bug_file_table whose uploading user lacks view access to the linked private issue or project.
- Web server access logs showing POST requests to file_add.php or bug_file_add.php from accounts that have not viewed the corresponding bug_id.
- Unexpected file uploads on issues belonging to private projects shortly after low-privilege account activity.
Detection Strategies
- Audit MantisBT database tables to correlate attachment uploads with the uploader's effective access level on the parent issue at the time of upload.
- Enable verbose application logging and monitor authorization-related events on attachment endpoints.
- Compare attachment uploader identities against project access lists to surface cross-project anomalies.
Monitoring Recommendations
- Forward MantisBT web and application logs to a centralized SIEM for correlation against user role and project membership data.
- Alert on attachment uploads to issues in projects where the uploading account has no membership.
- Review historical attachment activity on private projects for the period preceding the upgrade to 2.28.2.
How to Mitigate CVE-2026-34754
Immediate Actions Required
- Upgrade MantisBT to version 2.28.2 or later, which contains the authoritative fix.
- Inventory all authenticated MantisBT user accounts and disable or reset credentials for stale or untrusted accounts.
- Review attachments on private issues created on vulnerable versions and remove any unauthorized files.
Patch Information
The vendor released MantisBT 2.28.2 to address CVE-2026-34754. The fix is delivered in commit b262b4d2835b81394d75356dead66e52a6275206, which enforces authorization checks before processing attachment uploads. Administrators should obtain the patched release directly from the MantisBT project and follow the standard upgrade procedure, including database schema updates.
Workarounds
- Restrict MantisBT account creation and registration to trusted users until the patch is applied.
- Temporarily disable file attachments globally via the MantisBT administration configuration if upgrading is not immediately possible.
- Place the MantisBT instance behind authenticated network controls such as VPN or SSO to limit exposure to untrusted accounts.
# Configuration example: disable attachments in config_inc.php until patched
$g_allow_file_upload = OFF;
$g_enable_project_documentation = OFF;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
