MantisBT: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked
Description
MantisBT allows a bugnote author to access the note's Revisions page after losing access to the parent private issue.
Impact
Disclosure of the private Issue's Id and Summary. The bugnote full revision body remains secure.
### Patches - 71df1f67e05b2050cd4bd87839e6cc13747cf03f
Workarounds
None
Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MantisBT bugnote revision page leaks private issue ID and summary after user loses access to the parent private issue.
Vulnerability
CVE-2026-34970 is an authorization bypass in MantisBT's bugnote revision page. The root cause lies in the access_can_view_bugnote_revisions() function, which allowed a bugnote reporter to view revisions even after losing access to the parent private issue. The function only checked if the user was the bugnote reporter or had the required threshold, but did not verify that the user still had access to the parent bug [1][4].
Exploitation
An attacker must be a bugnote author on a private issue. After their access to the issue is revoked (e.g., removed from the project or the issue is made private), they can still access the revision page by directly navigating to /bug_revision_view_page.php?bugnote_id=<id>. The page returns HTTP 200 and renders issue metadata such as the issue ID and summary, but does not disclose the full revision body [4].
Impact
Successful exploitation results in disclosure of the private issue's ID and summary. This is a metadata leakage; the issue itself remains inaccessible, but the exposed information can reveal sensitive project details [1][4].
Mitigation
The vulnerability is fixed in commit 71df1f67e05b2050cd4bd87839e6cc13747cf03f, which adds a check for parent bug access before allowing revision viewing [3]. No workarounds are available; users should apply the patch immediately [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 2.28.2 | 2.28.2 |
Affected products
2Patches
171df1f67e05bFix bugnote revisions access check
1 file changed · +13 −2
core/access_api.php+13 −2 modified@@ -975,7 +975,8 @@ function access_can_view_bug_revisions( $p_bug_id, $p_user_id = null ) { /** * Return true if user is allowed to view bugnote revisions. * - * User must have $g_bug_revision_view_threshold or be the bugnote's reporter. + * User must have $g_bug_revision_view_threshold or be the bugnote's reporter, + * and have access to the parent bug. * * @param int $p_bugnote_id * @param int $p_user_id @@ -990,12 +991,22 @@ function access_can_view_bugnote_revisions( $p_bugnote_id, $p_user_id = null ) { $t_project_id = bug_get_field( $t_bug_id, 'project_id' ); $t_user_id = null === $p_user_id ? auth_get_current_user_id() : $p_user_id; + # User must have access to the parent bug + $t_has_access = bug_is_user_reporter( $t_bug_id, $t_user_id ) + || access_has_bug_level( + config_get( 'view_bug_threshold', null, $t_user_id, $t_project_id ), + $t_bug_id, + $t_user_id + ); + if( !$t_has_access ) { + return false; + } + $t_has_access = access_has_bugnote_level( config_get( 'bug_revision_view_threshold', null, $t_user_id, $t_project_id ), $p_bugnote_id, $t_user_id ); - return $t_has_access || bugnote_is_user_reporter( $p_bugnote_id, $t_user_id ); }
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.