CVE-2026-34744 MEDIUM

CVE-2026-34744: MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues

Vendor Mantisbt

Product mantisbt

Weakness CWE-200 · Info exposure

Published May 19, 2026

Last update May 20, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.

Key dates

02Disclosure timeline

May 19, 2026 CVE published

May 20, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34744 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2026-34744: MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues

01Description

02Disclosure timeline

03References

04Related CVE