MantisBT, Authorization Bypass, CVE-2026-34744 (Medium)

Listen to this Post

The vulnerability resides in MantisBT’s attachment handling logic. When a user uploads a file to an issue, the system associates that file with both the issue ID and the uploader’s user ID. The flaw manifests when the parent issue is later made private. Prior to the patch, the file access functions (file_can_view_or_download(), IssueFileGetCommand::validate()) did not verify the user’s current permission level for the parent issue itself. Because of this oversight, a user who had lost the right to view the private issue could still enumerate and download files they had personally uploaded to it. The check only enforced that the user was the original uploader, not that they still had `view_bug_threshold` access to the issue. An attacker could manually issue a direct request to an attachment download endpoint with a valid file ID and authentication cookie. The application would then verify only the file-to-user uploader relationship, bypassing the parent issue’s access restrictions entirely. The commit `de7bdee` patches this by adding an explicit `access_has_bug_level( config_get( ‘view_bug_threshold’ ), $p_bug_id )` check in the critical code paths. If this fails, the request is rejected with ERROR_ACCESS_DENIED. The vulnerability affects all versions of MantisBT up to and including 2.28.1. It was discovered by Vishal Shukla and fixed in version 2.28.2.

DailyCVE Form:

Platform: MantisBT
Version: ≤2.28.1
Vulnerability: Auth Bypass
Severity: Medium
date: 2026-05-11
Prediction: Patch 2026-05-09

What Undercode Say:

Check current MantisBT version
grep -i "version" config/config_inc.php
List vulnerable installations (affected versions ≤2.28.1)
composer show mantisbt/mantisbt | grep -i version
Simulate bypass attempt (requires authenticated user cookie)
curl -X GET "http://target-mantis/file_download.php?file_id=123" \
-H "Cookie: MANTIS_STRING_COOKIE=your_auth_cookie"
Verify patch presence by checking function 'file_can_view_or_download'
grep -A 5 "function file_can_view_or_download" core/file_api.php

Exploit:

An authenticated user with an attachment ID (even after being removed from a private issue) can directly request the file via endpoints like `file_download.php?file_id=XYZ` or the REST API. The system fails to re-validate the user’s access to the parent issue, allowing retrieval of the user’s own previously uploaded attached data.

Protection from this CVE

Upgrade to MantisBT version 2.28.2 or later immediately. If upgrade is not possible, apply the patch from commit `de7bdeec36de066235e38a77bf056917d951c84d` manually to the `core/file_api.php` and `core/commands/IssueFileGetCommand.php` files. No workarounds exist other than disabling file attachments entirely, which is not recommended.

Impact:

The confidentiality impact is minimal, as an attacker can only access their own previously uploaded attachments, not the private issue’s content or other files. The CVSS v4 base score is 5.3 (Medium). The vulnerability does not allow further escalation or code execution. However, it can still leak sensitive data the user themselves had uploaded (e.g., logs, configuration snippets, or debugging outputs) after their access rights were revoked.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top