CVE-2026-34754: MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API

May 11, 2026 (updated June 5, 2026)

MantisBT allows an authenticated user to upload attachments to private Issues they are not authorized to access.

References

github.com/advisories/GHSA-h4x5-gvx6-3rwc
github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206
github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc
mantisbt.org/bugs/view.php?id=36976
nvd.nist.gov/vuln/detail/CVE-2026-34754

Code Behaviors & Features

Detect and mitigate CVE-2026-34754 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →