VYPR
← All advisories
Moderate severityGHSA Advisory· Published May 11, 2026· Updated May 11, 2026

MantisBT has an authorization bypass that allows reading attachments after losing access to a private issue

CVE-2026-34744

Description

MantisBT permits a user to list and download their own attachments from an Issue created by another user, even after that Issue becomes private and direct access to it is denied.

Impact

The loss of confidentiality caused by this vulnerability is minimal, considering that only the attachments that were previously uploaded by the user themselves remains accessible.

### Patches - de7bdeec36de066235e38a77bf056917d951c84d

Workarounds

None.

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MantisBT allows users to list and download their own attachments from an issue even after that issue becomes private, due to an authorization bypass in attachment visibility logic.

Root

Cause The vulnerability stems from the file_can_view_or_download() function, which first checks if the user has normal bug-level access to an issue. If that check fails, it falls back to checking whether the user uploaded the attachment and whether the configuration allows viewing/downloading own attachments [1][3]. This means attachment ownership is treated as sufficient for continued access, even after the user loses access to the issue itself [1]. The patch (commit de7bdee) adds an explicit check for view_bug_threshold before allowing any attachment access [3].

Exploitation

A low-privileged user who uploaded a file to a public issue can still access that attachment after the issue is made private. The user receives a 403 Forbidden when attempting to view the issue page directly, but can list attachments via the REST API (/api/rest/issues/2/files) and download the file via file_download.php [1]. No additional authentication or privileges are required beyond the initial session [1].

Impact

The attacker gains continued access only to their own previously uploaded attachments, not to other users' files. The loss of confidentiality is considered minimal, but it bypasses the intended access control policy set by the issue's privacy change [1][4].

Mitigation

The issue is fixed in commit de7bdeec36de066235e38a77bf056917d951c84d, which is included in subsequent MantisBT releases [3][4]. No workarounds are available; users should upgrade to a patched version [1][4].

References
  1. 0036977: CVE-2026-34744: Authorization bypass allows users to read their own attachments after losing access to a private issue
  2. Prevent access to private issues' file attachments · mantisbt/mantisbt@de7bdee
  3. Authorization bypass allows reading attachments after losing access to a private issue

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mantisbt/mantisbtPackagist
< 2.28.22.28.2

Affected products

2
  • Mantisbt/MantisbtGHSA2 versions
    <= 2.28.1+ 1 more
    • (no CPE)range: <= 2.28.1
    • (no CPE)

Patches

1
de7bdeec36de

Prevent access to private issues' file attachments

https://github.com/mantisbt/mantisbtDamien RegadMar 30, 2026via ghsa
commit
2 files changed · +12 1
  • core/commands/IssueFileGetCommand.php+7 1 modified
    @@ -55,6 +55,13 @@ function __construct( array $p_data ) {
 	 */
 	function validate() {
 		$this->issue_id = helper_parse_issue_id( $this->query( 'issue_id' ) );
+		$this->user_id = auth_get_current_user_id();
+
+		bug_ensure_exists( $this->issue_id );
+
+		if( !access_has_bug_level( config_get( 'view_bug_threshold' ), $this->issue_id, $this->user_id ) ) {
+			throw new ClientException( 'access denied', ERROR_ACCESS_DENIED );
+		}
 	}
 
 	/**
@@ -64,7 +71,6 @@ function validate() {
 	 */
 	protected function process() {
 		$t_issue = bug_get( $this->issue_id, true );
-		$this->user_id = auth_get_current_user_id();
 
 		if( $t_issue->project_id != helper_get_current_project() ) {
 			# in case the current project is not the same project of the bug we are
  • core/file_api.php+5 0 modified
    @@ -238,6 +238,11 @@ function file_bug_has_attachments( $p_bug_id ) {
  * @internal Should not be used outside of File API.
  */
 function file_can_view_or_download( $p_action, $p_bug_id, $p_uploader_user_id, $p_bugnote_id = null ) {
+	# If user can't view the bug, then they can't access its attachments either
+	if( !access_has_bug_level( config_get( 'view_bug_threshold' ), $p_bug_id ) ) {
+		return false;
+	}
+
 	switch( $p_action ) {
 		case 'view':
 			$t_threshold_global = 'view_attachments_threshold';

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.