CVE-2026-30849
Authentication Bypass in MantisBT SOAP API on MySQL
Publication date: 2026-03-23
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mantisbt | mantisbt | to 2.28.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-305 | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30849 is a critical authentication bypass vulnerability in Mantis Bug Tracker (MantisBT) versions prior to 2.28.1 when using MySQL or compatible databases. The flaw exists in the SOAP API due to improper type checking on the password parameter. Because MySQL performs implicit type conversion from string to integer, an attacker who knows a valid username can send a specially crafted SOAP request to bypass authentication without knowing the actual password.
This allows the attacker to log in as the victim user and execute any API function accessible to that user. Other database backends are not affected because they do not perform this implicit type conversion.
Disabling the SOAP API reduces the risk but still allows attackers to retrieve user account information such as email addresses and real names.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to bypass authentication remotely without any privileges or user interaction.
- Unauthorized access to user accounts in MantisBT.
- Execution of any API function available to the compromised user, potentially leading to data manipulation or unauthorized actions.
- Exposure of sensitive user information such as email addresses and real names if the SOAP API is disabled but still accessible.
Overall, this can lead to a high impact on confidentiality and integrity of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or unauthorized SOAP API login attempts, especially those that do not require valid passwords but use known usernames.
Since the vulnerability involves sending specially crafted SOAP envelopes to bypass authentication, network traffic analysis tools can be used to inspect SOAP API requests for suspicious payloads.
Commands or methods to detect exploitation attempts might include capturing and analyzing network traffic on the SOAP API endpoint (usually HTTP/SOAP requests) using tools like tcpdump or Wireshark.
- Use tcpdump to capture SOAP API traffic: tcpdump -i <interface> -s 0 -w mantisbt_soap.pcap port 80 or port 443
- Analyze captured traffic with Wireshark or tshark to look for SOAP envelopes with unusual or missing password parameters.
- Check MantisBT logs for successful SOAP API logins without corresponding valid password authentication.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Mantis Bug Tracker to version 2.28.1 or later, which contains a patch that enforces strict type checking on the SOAP API login parameters.
If upgrading immediately is not possible, disabling the SOAP API significantly reduces the risk of exploitation, although it does not fully prevent attackers from retrieving some user account information.
Additionally, monitoring and restricting access to the SOAP API endpoint can help reduce exposure.