Attachment Download Bypass in MantisBT 2.28.1-2.82.1 (Private Issue Access)
CVE-2026-34744 Published on May 19, 2026

MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.

NVD

Weakness Types

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2026-34744 has been classified to as an Information Disclosure vulnerability or weakness.

Improper Preservation of Permissions

The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.


Products Associated with CVE-2026-34744

Want to know whenever a new CVE is published for MantisBT? stack.watch will email you.

MantisBT
 

Affected Versions

mantisbt Version < 2.28.2 is affected by CVE-2026-34744

Exploit Probability

EPSS
0.01%
Percentile
2.53%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.