MantisBT: master-2.28 de7bdeec

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-03-30 11:42 master-2.28 0a93267d
Affected Issues  0036977: CVE-2026-34744: Authorization bypass allows users to read their own attachments after losing access to a private issue
Changeset

Prevent access to private issues' file attachments

Adding access checks ensuring that the user is allowed to view the
attachments' parent issue, before listing or downloading them:

  • file_can_view_or_download() function
  • IssueFileGetCommand::validate() method

Fixes 0036977, GHSA-rmp5-5jj7-gmvf
mod - core/commands/IssueFileGetCommand.php Diff File
mod - core/file_api.php Diff File