MantisBT has an authorization bypass in private issue monitoring
Description
Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue.
Impact
Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content.
### Patches - 0a93267deba445fb9d15250c16e6fdb1246ffa65
Workarounds
None
Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MantisBT 2.26.1 allows users with project-level access to subscribe to private issues via a crafted POST request, leading to disclosure of issue metadata and content through email notifications.
Vulnerability
Overview
CVE-2026-34579 is an authorization bypass vulnerability in Mantis Bug Tracker (MantisBT) versions prior to 2.28.2. The bug resides in the bug_monitor_add.php endpoint and the MonitorAddCommand class. The root cause is that the monitor-add flow validates permissions using access_has_project_level() instead of a bug-level visibility check. This means the action is authorized based on project membership and threshold alone, without enforcing access to the specific private issue [2].
Exploitation
An authenticated user with project-level access can exploit this by obtaining a valid bug_monitor_add_token from an issue they can view, then replaying the request with a modified bug_id pointing to a private issue they are not permitted to see. The application accepts the request and creates a monitor relationship for the private issue, even though it displays an "Access Denied" error [2][4]. No additional authentication or network position is required beyond a valid session with project access.
Impact
While direct access to the private issue remains blocked in the web UI, the web UI, the user will receive email notifications for updates to that issue. Based on the recipient-building logic in email_api.php, this creates a credible path to disclosure of private issue metadata and content through email notifications [2]. The vulnerability has a CVSS score of 6.5 (Medium), reflecting the partial confidentiality breach.
Mitigation
The issue was fixed in commit 0a93267deba445fb9d15250c16e6fdb1246ffa65, which changes the permission check to use access_has_bug_level instead of _project_level for the user adding themselves as a monitor [3]. The fix is included in MantisBT version 2.28.2. No workarounds are available; users must upgrade to the patched version [1][4].
- GitHub - mantisbt/mantisbt: Mantis Bug Tracker (MantisBT)
- 0036975: CVE-2026-34579: Authorization bypass in private issue monitoring allows unauthorized users to subscribe to restricted issues
- Only let users monitor private issues they can access · mantisbt/mantisbt@0a93267
- Authorization bypass in private issue monitoring
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | >= 2.26.1, < 2.28.2 | 2.28.2 |
Affected products
1Patches
10a93267deba4Only let users monitor private issues they can access
1 file changed · +18 −16
core/commands/MonitorAddCommand.php+18 −16 modified@@ -14,6 +14,10 @@ # You should have received a copy of the GNU General Public License # along with MantisBT. If not, see <http://www.gnu.org/licenses/>. +/** + * @noinspection PhpUnhandledExceptionInspection + */ + require_api( 'authentication_api.php' ); require_api( 'bug_api.php' ); require_api( 'constant_inc.php' ); @@ -53,7 +57,7 @@ function __construct( array $p_data ) { /** * Validate the data. */ - function validate() { + function validate() { $t_issue_id = helper_parse_issue_id( $this->query( 'issue_id' ) ); $this->projectId = bug_get_field( $t_issue_id, 'project_id' ); @@ -78,27 +82,25 @@ function validate() { throw new ClientException( "anonymous account can't monitor issues", ERROR_PROTECTED_ACCOUNT ); } - if( $t_logged_in_user != $t_user_id ) { - $t_access_level = config_get( + $t_monitor_bug = config_get( 'monitor_bug_threshold', null, null, $this->projectId ); + + if( $t_logged_in_user == $t_user_id ) { + if( !access_has_bug_level( $t_monitor_bug, $t_issue_id, $t_user_id ) ) { + throw new ClientException( 'access denied', ERROR_ACCESS_DENIED ); + } + } else { + if( !access_has_project_level( $t_monitor_bug, $this->projectId, $t_user_id ) ) { + throw new ClientException( 'access denied', ERROR_MONITOR_ACCESS_TOO_LOW ); + } + + $t_monitor_add_others = config_get( 'monitor_add_others_bug_threshold', /* default */ null, /* user */ null, $this->projectId ); - - if( !access_has_bug_level( $t_access_level, $t_issue_id, $t_logged_in_user ) ) { + if( !access_has_bug_level( $t_monitor_add_others, $t_issue_id, $t_logged_in_user ) ) { throw new ClientException( 'access denied', ERROR_ACCESS_DENIED ); } - - } - - $t_access_level = config_get( - 'monitor_bug_threshold', - /* default */ null, - /* user */ null, - $this->projectId ); - - if( !access_has_project_level( $t_access_level, $this->projectId, $t_user_id ) ) { - throw new ClientException( 'access denied', ERROR_MONITOR_ACCESS_TOO_LOW ); } $this->userIdsToAdd[] = $t_user_id;
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.