GHSA-ggw7-9675-6v4v

Source

https://github.com/advisories/GHSA-ggw7-9675-6v4v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-ggw7-9675-6v4v/GHSA-ggw7-9675-6v4v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ggw7-9675-6v4v

Aliases

CVE-2026-34579

Published

2026-05-11T19:32:22Z

Modified

2026-05-11T19:48:59.091359Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

MantisBT has an authorization bypass in private issue monitoring

Details

Using a crafted POST request to bugmonitoradd.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue.

Impact

Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content.

Patches

0a93267deba445fb9d15250c16e6fdb1246ffa65

Workarounds

None

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T19:32:22Z",
    "cwe_ids": [
        "CWE-201"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}

References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name: mantisbt/mantisbt
Purl: pkg:composer/mantisbt/mantisbt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.26.1

Fixed

2.28.2

Affected versions

2.*

2.26.1

2.26.2

2.26.3

2.26.4

2.27.0

2.27.1

2.27.2

2.27.3

2.28.0

2.28.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-ggw7-9675-6v4v/GHSA-ggw7-9675-6v4v.json"

last_known_affected_version_range

"<= 2.28.1"