Listen to this Post
How the Mentioned CVE Works
This is an authorization bypass vulnerability in MantisBT’s private issue monitoring feature. The flaw resides in the `bug_monitor_add.php` endpoint.
Under normal conditions, a user with project-level access can monitor only those issues they are permitted to view. However, by sending a crafted POST request to `bug_monitor_add.php` with a specific `bug_id` and the malicious user’s own username, a user who lacks access to a private issue can attempt to add themselves as a monitor.
Even though the application returns an “Access Denied” error to the user, the underlying `MonitorAddCommand` does not perform adequate authorization checks. The vulnerable function validates whether the user can monitor the issue, but it fails to stop the creation of the monitor relationship when access is denied.
Specifically, the command lacks a proper distinction between adding oneself and adding other users, and it does not enforce the `monitor_bug_threshold` permission at the bug level when the user adds themselves. Consequently, the request is processed, and the monitoring relationship is created in the database despite the denied access message.
Direct access to the private issue remains blocked, but the monitoring relationship allows the attacker to receive email notifications for any updates to that issue. This leads to the disclosure of the issue’s metadata (such as its , status, and updates) and, in some cases, the content of private discussions.
The issue was introduced by an earlier change intended to improve monitoring functionality. The vulnerability is fixed in commit `0a93267deba445fb9d15250c16e6fdb1246ffa65` by restructuring the access validation logic to require `access_has_bug_level` when a user adds themselves to a private issue.
DailyCVE Form
Platform: MantisBT
Version: <= 2.28.1 (affected)
Vulnerability: Authorization Bypass
Severity: Moderate
Date: May 9, 2026
Prediction: May 11, 2026
Analytics under What Undercode Say
Check MantisBT version curl -s http://target/mantisbt/admin/check/index.php | grep "MantisBT Version" Search for exploit patterns in logs grep "bug_monitor_add.php" /var/log/apache2/access.log | grep "POST" Verify if monitoring is active mysql -u mantis_user -p -e "SELECT FROM mantis_bug_monitor_table WHERE user_id = [bash];"
How Exploit
- Enumerate a private issue ID that the attacker cannot access.
- Craft a POST request to `bug_monitor_add.php` with parameters:
bug_id=$PRIVATE_ISSUE_ID&username=self&monitor=1. - Send the request. Observe the “Access Denied” error.
- Check the database table `mantis_bug_monitor_table` to confirm the relationship.
- Wait for email notifications about updates to the private issue.
Protection from this CVE
Upgrade to a patched version of MantisBT (2.28.2 or later) or apply the specific patch commit 0a93267deba445fb9d15250c16e6fdb1246ffa65. If an immediate upgrade is not possible, disable the `bug_monitor_add.php` endpoint via web server access controls (e.g., `.htaccess` or Nginx location block) as a temporary workaround.
Impact
Information disclosure: Sensitive metadata and content of private issues are leaked via email notifications. Direct access to the issue remains blocked, but the attacker gains insight into confidential project information, which can facilitate further attacks or lead to a breach of privacy.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

