CVE-2026-34744

Vulnerability Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.

Related Weaknesses (CWE)

References

• https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951
• https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf
• https://mantisbt.org/bugs/view.php?id=36977

FAQ

What is CVE-2026-34744?

CVE-2026-34744 is a documented vulnerability. Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it be...

How severe is CVE-2026-34744?

CVSS scoring is not yet available for CVE-2026-34744. Check NVD for updates.

Is there a patch for CVE-2026-34744?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.