Listen to this Post
The flaw stems from a missing server‑side authorization check when the REST API handles attachment uploads. An unauthenticated attacker first obtains a valid session by logging into MantisBT with any set of credentials (e.g., a standard Reporter account). After authentication, the attacker crafts a `POST` request to the endpoint `/api/rest/issues/{issue_id}/files` where `{issue_id}` is the numeric identifier of a private issue that the attacker should not be able to see or modify. Because the REST controller that processes the file upload does not re‑validate the user’s access rights to the target issue, the request proceeds to the underlying database and file system logic. The attacker supplies a multipart/form‑data payload that includes the file to be uploaded, along with the appropriate `Authorization` header containing the previously obtained session token. Since the issue access check is performed only on the initial issue fetch (e.g., when listing issues) and not on the attachment endpoint itself, the system incorrectly accepts the upload. The file is then written to the configured attachment directory and linked to the private issue in the database. As a result, sensitive files such as internal logs, patches, or documents intended only for developers or managers become accessible to any authenticated user who knows or can guess the private issue’s identifier. The web user interface is not affected, as it strictly filters visible issues based on access rights, but the REST API endpoint bypasses this logic. The issue was assigned CVE‑2026‑34754 and classified as Moderate severity.
DailyCVE Form
Platform: MantisBT Version: <2.26.2 Vulnerability: Auth Bypass Severity: Moderate Date: 2026-05-11 Prediction: 2026-05-11
What Undercode Say
Analytics from the advisory database show that the vulnerable endpoint was the `issues/{id}/files` REST route. The following `curl` command illustrates a benign test to verify the presence of the flaw:
Replace $ISSUE_ID with a private issue number curl -X POST "$MANTIS_URL/api/rest/issues/$ISSUE_ID/files" \ -H "Authorization: $SESSION_TOKEN" \ -F "[email protected]"
If the upload succeeds despite the user lacking access to the issue, the system remains vulnerable. The patch introduces a call to `access_ensure_issue_level()` before processing the attachment, matching the check already present in the web interface.
Exploit
An authenticated attacker (e.g., with Reporter access) can exploit the weakness by:
1. Obtaining a valid session token via standard login.
2. Sending a multipart POST request to `/api/rest/issues/{private_issue_id}/files` containing the malicious file.
3. Observing the HTTP `201 Created` response, confirming the file was uploaded to a restricted issue.
Example minimal exploit script:
!/bin/bash ISSUE_ID=42 private issue number curl -X POST "$MANTIS_URL/api/rest/issues/$ISSUE_ID/files" \ -H "Authorization: $SESSION_TOKEN" \ -F "[email protected]"
Protection from this CVE
- Upgrade to the patched version (e.g., MantisBT 2.26.2 or later). The fix is contained in commit
b262b4d2835b81394d75356dead66e52a6275206. - Disable the REST API if not explicitly required (set `$g_rest_api_enabled = OFF;` in
config_inc.php). - Monitor logs for unexpected `POST` requests to `/api/rest/issues//files` from low‑privileged accounts.
- Apply the official patch manually if an immediate upgrade is not possible; the patch adds a single access‑control call in
api/rest/restcore/issues_rest.php.
Impact
- Confidentiality – An attacker can upload arbitrary files to any private issue, potentially leaking sensitive internal documents (e.g., design specifications, security patches, customer data) that were meant to stay hidden.
- Integrity – Malicious files (e.g., HTML or script files) uploaded to a private issue could be used in a second‑stage attack if the issue is later made public or if a privileged user accesses the file.
- Privilege Escalation – By injecting files into developer‑only discussions, an attacker may gain insight that aids further exploitation, though direct privilege escalation is not inherent.
- Compliance – Breaching private issues may violate data protection regulations (e.g., GDPR, HIPAA) if personally identifiable or regulated data resides in the bug tracker.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

