Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-kd7p-6ypr-hucb
Vulnerability ID VCID-kd7p-6ypr-hucb
Aliases CVE-2026-34579
GHSA-ggw7-9675-6v4v
Summary MantisBT has an authorization bypass in private issue monitoring Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. ### Impact Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content. ### Patches - 0a93267deba445fb9d15250c16e6fdb1246ffa65 ### Workarounds None ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-201 Insertion of Sensitive Information Into Sent Data
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-863 Incorrect Authorization
System Score Found at
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-34579
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-34579
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-34579
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-ggw7-9675-6v4v
cvssv4 5.3 https://github.com/mantisbt/mantisbt
generic_textual MODERATE https://github.com/mantisbt/mantisbt
cvssv4 5.3 https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65
generic_textual MODERATE https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65
ssvc Track https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65
cvssv3.1_qr MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v
cvssv4 5.3 https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v
generic_textual MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v
ssvc Track https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v
cvssv4 5.3 https://mantisbt.org/bugs/view.php?id=36975
generic_textual MODERATE https://mantisbt.org/bugs/view.php?id=36975
ssvc Track https://mantisbt.org/bugs/view.php?id=36975
cvssv4 5.3 https://nvd.nist.gov/vuln/detail/CVE-2026-34579
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34579
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-34579
https://github.com/mantisbt/mantisbt
https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v
https://mantisbt.org/bugs/view.php?id=36975
https://nvd.nist.gov/vuln/detail/CVE-2026-34579
GHSA-ggw7-9675-6v4v https://github.com/advisories/GHSA-ggw7-9675-6v4v
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T14:25:53Z/ Found at https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T14:25:53Z/ Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://mantisbt.org/bugs/view.php?id=36975
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T14:25:53Z/ Found at https://mantisbt.org/bugs/view.php?id=36975
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34579
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.02532
EPSS Score 0.00014
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:04:23.791786+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-ggw7-9675-6v4v/GHSA-ggw7-9675-6v4v.json 38.6.0