CVE-2026-30849
Received Received - Intake
Authentication Bypass in MantisBT SOAP API on MySQL

Publication date: 2026-03-23

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. Version 2.28.1 contains a patch. Disabling the SOAP API significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30849
EUVD
EUVD-2026-14516
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mantisbt mantisbt to 2.28.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30849 is a critical authentication bypass vulnerability in Mantis Bug Tracker (MantisBT) versions prior to 2.28.1 when using MySQL or compatible databases. The flaw exists in the SOAP API due to improper type checking on the password parameter. Because MySQL performs implicit type conversion from string to integer, an attacker who knows a valid username can send a specially crafted SOAP request to bypass authentication without knowing the actual password.

This allows the attacker to log in as the victim user and execute any API function accessible to that user. Other database backends are not affected because they do not perform this implicit type conversion.

Disabling the SOAP API reduces the risk but still allows attackers to retrieve user account information such as email addresses and real names.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to bypass authentication remotely without any privileges or user interaction.

  • Unauthorized access to user accounts in MantisBT.
  • Execution of any API function available to the compromised user, potentially leading to data manipulation or unauthorized actions.
  • Exposure of sensitive user information such as email addresses and real names if the SOAP API is disabled but still accessible.

Overall, this can lead to a high impact on confidentiality and integrity of the system.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized SOAP API login attempts, especially those that do not require valid passwords but use known usernames.

Since the vulnerability involves sending specially crafted SOAP envelopes to bypass authentication, network traffic analysis tools can be used to inspect SOAP API requests for suspicious payloads.

Commands or methods to detect exploitation attempts might include capturing and analyzing network traffic on the SOAP API endpoint (usually HTTP/SOAP requests) using tools like tcpdump or Wireshark.

  • Use tcpdump to capture SOAP API traffic: tcpdump -i <interface> -s 0 -w mantisbt_soap.pcap port 80 or port 443
  • Analyze captured traffic with Wireshark or tshark to look for SOAP envelopes with unusual or missing password parameters.
  • Check MantisBT logs for successful SOAP API logins without corresponding valid password authentication.
Mitigation Strategies

The immediate mitigation step is to upgrade Mantis Bug Tracker to version 2.28.1 or later, which contains a patch that enforces strict type checking on the SOAP API login parameters.

If upgrading immediately is not possible, disabling the SOAP API significantly reduces the risk of exploitation, although it does not fully prevent attackers from retrieving some user account information.

Additionally, monitoring and restricting access to the SOAP API endpoint can help reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30849. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart