GHSA-rmp5-5jj7-gmvf

Source

https://github.com/advisories/GHSA-rmp5-5jj7-gmvf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rmp5-5jj7-gmvf/GHSA-rmp5-5jj7-gmvf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rmp5-5jj7-gmvf

Aliases

CVE-2026-34744

Published

2026-05-11T19:32:36Z

Modified

2026-05-11T19:48:58.447611Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

MantisBT has an authorization bypass that allows reading attachments after losing access to a private issue

Details

MantisBT permits a user to list and download their own attachments from an Issue created by another user, even after that Issue becomes private and direct access to it is denied.

Impact

The loss of confidentiality caused by this vulnerability is minimal, considering that only the attachments that were previously uploaded by the user themselves remains accessible.

Patches

de7bdeec36de066235e38a77bf056917d951c84d

Workarounds

None.

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T19:32:36Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}

References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name: mantisbt/mantisbt
Purl: pkg:composer/mantisbt/mantisbt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.28.2

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.6.0

2.7.0

2.7.1

2.8.0

2.8.1

2.9.0

2.9.1

2.10.0

2.10.1

2.11.0

2.11.1

2.12.0

2.12.1

2.12.2

2.13.0

2.13.1

2.13.2

2.14.0

2.15.0

2.15.1

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.18.0

2.18.1

2.19.0

2.19.1

2.20.0

2.20.1

2.21.0

2.21.1

2.21.2

2.21.3

2.22.0

2.22.1

2.22.2

2.23.0

2.23.1

2.24.0

2.24.1

2.24.2

2.24.3

2.24.4

2.24.5

2.25.0

2.25.1

2.25.2

2.25.3

2.25.4

2.25.5

2.25.6

2.25.7

2.25.8

2.26.0

2.26.1

2.26.2

2.26.3

2.26.4

2.27.0

2.27.1

2.27.2

2.27.3

2.28.0

2.28.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rmp5-5jj7-gmvf/GHSA-rmp5-5jj7-gmvf.json"

last_known_affected_version_range

"<= 2.28.1"