CVE-2026-30849

Critical

Published: 23 March 2026

Published

23 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the…

password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. Version 2.28.1 contains a patch. Disabling the SOAP API significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely application of the patch in MantisBT version 2.28.1 directly remediates the authentication bypass vulnerability in the SOAP API.

SI-10 Information Input Validation good match

prevent

Validating the password parameter in SOAP API inputs prevents the improper type checking exploit that enables authentication bypass on MySQL backends.

CM-7 Least Functionality good match

prevent

Disabling the unnecessary SOAP API functionality eliminates the primary attack vector for this authentication bypass vulnerability.

Security SummaryAI

Mantis Bug Tracker (MantisBT), an open source issue tracker, in versions prior to 2.28.1 running on MySQL family databases, is affected by CVE-2026-30849, an authentication bypass vulnerability in the SOAP API. The flaw arises from improper type checking on the password parameter, exploiting MySQL's implicit conversion from string to integer, which does not occur with other database backends.

A remote, unauthenticated attacker who knows a target user's username can send a crafted SOAP envelope to bypass authentication and log in as that user without the correct password. This allows execution of any SOAP API functions accessible to the victim's account, potentially leading to high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-305.

MantisBT version 2.28.1 includes a patch addressing the issue. Disabling the SOAP API significantly reduces risk, though it may still permit retrieval of user account information such as email addresses and real names. Additional details are available in the GitHub security advisory at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh and the patch commit at https://github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f.

Details

CWE(s): CWE-305

Affected Products

mantisbt

≤ 2.28.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in the public-facing MantisBT SOAP API, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f
Patch · security-advisories@github.com
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh
Patch, Vendor Advisory, Mitigation · security-advisories@github.com