View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0036978mantisbtsecuritypublic2026-03-17 06:042026-05-09 19:56
Reporterninjasec Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.28.1 
Target Version2.28.2Fixed in Version2.28.2 
Summary0036978: CVE-2026-34970: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked
Description

MantisBT allows a bugnote author to access the bugnote revision page after losing access to the parent private issue, disclosing issue metadata such as the issue id and summary.

The revision page authorization permits a bugnote reporter to access bugnote revisions even when the user no longer has access to the parent issue. Although the page does not disclose the full revision body in the tested setup, it still renders issue-level metadata from the private issue.

/bug_revision_view_page.php?bugnote_id=9

The revision page returned 200 OK and exposed:

  • page title: 0000002: test - MantisBT
  • heading: View Revisions: Note 9
  • issue summary block: 0000002: test

This is a metadata disclosure because the issue itself remained inaccessible.

Affected Code

  • access_api.php:985
  • bug_revision_view_page.php:102
  • bug_revision_view_page.php:198

Root Cause
access_can_view_bugnote_revisions() permits access for the bugnote reporter:
return $t_has_access || bugnote_is_user_reporter( $p_bugnote_id, $t_user_id );

Steps To Reproduce

Steps to Reproduce

  1. Create a note on a public issue as a low-privileged user.

  2. Ensure the note has revision rows.

  3. Make the issue private.

  4. Confirm the user receives 403 Forbidden on the issue page.

  5. Open the bugnote revision page directly using the bugnote id.

  6. Confirm the issue page is blocked:

    curl -i 'http://127.0.0.1:8082/view.php?id=2' \
-b 'PHPSESSID=824f757a81d6daa2babfd78f593d88e9; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=vDpDJ75wdseznutGCwiNBcTb1W7V_ZcAC-fGDVNzwmt1n5nKKkWumlNOAjv-SpUl'

  7. Open the revision page directly:

  curl -i 'http://127.0.0.1:8082/bug_revision_view_page.php?bugnote_id=9' \
    -b 'PHPSESSID=824f757a81d6daa2babfd78f593d88e9; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=vDpDJ75wdseznutGCwiNBcTb1W7V_ZcAC-fGDVNzwmt1n5nKKkWumlNOAjv-SpUl'
  • The page exposes:
    • 0000002: test - MantisBT
    • View Revisions: Note 9
    • 0000002: test
TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0027370 closeddregad CVE-2020-35849: Revisions allow viewing private bugnotes id and summary 

Activities

dregad

dregad

2026-03-31 11:45

developer   ~0070927

I confirm the vulnerability.

Advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2 created and CVE request sent.
dregad

dregad

2026-04-01 03:25

developer   ~0070928

CVE-2026-34970 assigned
dregad

dregad

2026-05-02 20:13

developer   ~0071064

Patch for review https://github.com/mantisbt/mantisbt-private/pull/6

Related Changesets

MantisBT: master-2.28 71df1f67

2026-05-09 05:49

dregad

Committer: community


Details Diff		 Fix bugnote revisions access check

access_can_view_bugnote_revisions() now checks that the user can view
the bugnote's parent issue.

Fixes 0036978, GHSA-crmx-4p49-46m2 / CVE-2026-34970		 Affected Issues
0036978
mod - core/access_api.php Diff File