What is GHSA-ggw7-9675-6v4v?

GHSA-ggw7-9675-6v4v is a security advisory published by GitHub Security Advisories with Medium severity. MantisBT has an authorization bypass in private issue monitoring

Which CVE IDs does GHSA-ggw7-9675-6v4v cover?

GHSA-ggw7-9675-6v4v covers the following CVE IDs: CVE-2026-34579. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-ggw7-9675-6v4v?

GHSA-ggw7-9675-6v4v affects 1 product, including: composer/mantisbt/mantisbt:\u003e= 2.26.1, \u003c= 2.28.1.

GHSA-ggw7-9675-6v4vMedium

MantisBT has an authorization bypass in private issue monitoring

Vendor

GitHub Security Advisories

Published

May 11, 2026

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2026-34579 →

📋 Description

Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue.

Impact

Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content.

Patches

0a93267deba445fb9d15250c16e6fdb1246ffa65

Workarounds

None

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

🎯 Affected products1

composer/mantisbt/mantisbt:>= 2.26.1, <= 2.28.1

🔗 References (5)

https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v
https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65
https://mantisbt.org/bugs/view.php?id=36975
https://nvd.nist.gov/vuln/detail/CVE-2026-34579
https://github.com/advisories/GHSA-ggw7-9675-6v4v