Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-41x9-p7gv-8fc2
Vulnerability ID VCID-41x9-p7gv-8fc2
Aliases CVE-2026-34390
GHSA-frf7-jhp9-jxm6
Summary MantisBT Vulnerable to Privilege Escalation from Manager to Administrator Insufficient access control checks in _ProjectUsersAddCommand_ (used in *manage_proj_user_add.php* and REST API endpoint `PUT /project/{id}/users`) allows users having *manage_project_threshold* access level (*manager* by default) to grant project-level *administrator* access to any user (including themselves) in any Project they have *manager* rights in. The normal project-user add form does restrict the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. ### Impact Privilege escalation. The consequences of the privilege escalation are not as bad as it may sound, because having *administrator* access at Project level is effectively not very different from being *manager*, it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. ### Patches - 69e0180f180ed5acf48a8d281a73683a7bf32461 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue: - [Dracosec Research Limited](https://dracosec.tech/) (Siu Nam Tang, Chris Chan, Krecendo Hui, William Lam) - Vishal Shukla
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-284 Improper Access Control
System Score Found at
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34390
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34390
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34390
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-frf7-jhp9-jxm6
cvssv4 5.1 https://github.com/mantisbt/mantisbt
generic_textual MODERATE https://github.com/mantisbt/mantisbt
cvssv4 5.1 https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461
generic_textual MODERATE https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461
ssvc Track https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461
cvssv3.1_qr MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6
cvssv4 5.1 https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6
generic_textual MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6
ssvc Track https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6
cvssv4 5.1 https://mantisbt.org/bugs/view.php?id=36995
generic_textual MODERATE https://mantisbt.org/bugs/view.php?id=36995
ssvc Track https://mantisbt.org/bugs/view.php?id=36995
cvssv4 5.1 https://mantisbt.org/bugs/view.php?id=37002
generic_textual MODERATE https://mantisbt.org/bugs/view.php?id=37002
ssvc Track https://mantisbt.org/bugs/view.php?id=37002
cvssv4 5.1 https://nvd.nist.gov/vuln/detail/CVE-2026-34390
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34390
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-34390
https://github.com/mantisbt/mantisbt
https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6
https://mantisbt.org/bugs/view.php?id=36995
https://mantisbt.org/bugs/view.php?id=37002
https://nvd.nist.gov/vuln/detail/CVE-2026-34390
GHSA-frf7-jhp9-jxm6 https://github.com/advisories/GHSA-frf7-jhp9-jxm6
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:05:44Z/ Found at https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:05:44Z/ Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://mantisbt.org/bugs/view.php?id=36995
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:05:44Z/ Found at https://mantisbt.org/bugs/view.php?id=36995
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://mantisbt.org/bugs/view.php?id=37002
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:05:44Z/ Found at https://mantisbt.org/bugs/view.php?id=37002
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34390
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.03348
EPSS Score 0.00015
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:01:23.734806+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-frf7-jhp9-jxm6/GHSA-frf7-jhp9-jxm6.json 38.6.0