CVE-2026-30849 Overview
Mantis Bug Tracker (MantisBT) is an open source issue tracker that contains a critical authentication bypass vulnerability in its SOAP API. Versions prior to 2.28.1 running on MySQL family databases are vulnerable due to improper type checking on the password parameter. The vulnerability stems from MySQL's implicit type conversion behavior, which converts strings to integers, allowing attackers to bypass authentication without knowing the victim's actual password.
Critical Impact
An attacker with knowledge of a victim's username can gain full access to their MantisBT account via the SOAP API, executing any API function available to that user without requiring the actual password. This includes access to sensitive bug reports, project data, and administrative functions if the compromised account has elevated privileges.
Affected Products
- MantisBT versions prior to 2.28.1
- MantisBT installations running on MySQL family databases (MySQL, MariaDB)
- MantisBT SOAP API endpoints
Discovery Timeline
- 2026-03-23 - CVE CVE-2026-30849 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-30849
Vulnerability Analysis
This authentication bypass vulnerability (CWE-305: Authentication Bypass by Primary Weakness) exists in the MantisBT SOAP API due to improper type validation of the password parameter during authentication. When MantisBT processes SOAP authentication requests on MySQL-family databases, the password parameter is not properly type-checked before being used in database queries.
MySQL databases perform implicit type conversion when comparing string values to integers. If an attacker supplies an integer value (or a value that MySQL interprets as an integer) instead of a string password, the database comparison may succeed unexpectedly, bypassing the normal password verification process.
Other database backends such as PostgreSQL are not affected by this vulnerability, as they enforce strict type checking and do not perform implicit type conversion from string to integer during comparisons.
Root Cause
The root cause of this vulnerability is insufficient type validation on user-supplied input within the SOAP API authentication handler. The password parameter accepts values without enforcing that they must be string types, allowing attackers to exploit MySQL's implicit type coercion behavior. When a numeric value is passed where a string password is expected, MySQL's comparison logic can result in unintended matches, granting unauthorized access.
Attack Vector
The attack is conducted over the network against the SOAP API endpoint. An attacker who knows a valid username can craft a malicious SOAP envelope with a specially formatted password parameter. The attack requires:
- Knowledge of a valid username in the target MantisBT installation
- Network access to the MantisBT SOAP API endpoint
- The target system running on a MySQL-family database
Using a crafted SOAP envelope, the attacker sends an authentication request where the password parameter exploits MySQL's type conversion behavior. The vulnerability allows the attacker to authenticate as any user and execute any SOAP API function that the compromised account has permission to access.
Note: Even with the SOAP API disabled, attackers may still be able to retrieve limited user account information including email addresses and real names through alternative vectors.
Detection Methods for CVE-2026-30849
Indicators of Compromise
- Unusual SOAP API authentication requests with non-string password parameters
- Successful API authentications from unexpected IP addresses or geographic locations
- Multiple successful logins for the same user from different sources in short timeframes
- SOAP API activity patterns inconsistent with normal user behavior
Detection Strategies
- Monitor SOAP API endpoints for authentication requests containing numeric or non-string password values
- Implement web application firewall (WAF) rules to inspect SOAP envelope content for type manipulation attempts
- Enable detailed logging on MantisBT authentication events and correlate with IP reputation data
- Deploy intrusion detection signatures for malformed SOAP authentication requests
Monitoring Recommendations
- Configure alerts for authentication anomalies on MantisBT SOAP API endpoints
- Review SOAP API access logs regularly for suspicious authentication patterns
- Monitor for bulk data access or unusual API function calls following authentication events
- Implement user and entity behavior analytics (UEBA) to detect account compromise indicators
How to Mitigate CVE-2026-30849
Immediate Actions Required
- Upgrade MantisBT to version 2.28.1 or later immediately
- If immediate patching is not possible, disable the SOAP API as a temporary risk reduction measure
- Audit recent SOAP API authentication logs for signs of exploitation
- Reset passwords for privileged accounts that may have been compromised
- Review and restrict network access to MantisBT SOAP API endpoints
Patch Information
MantisBT has released version 2.28.1 which contains a fix for this vulnerability. The patch implements proper type checking on the password parameter in the SOAP API authentication handler. Organizations should upgrade to this version or apply the security commit referenced in the GitHub Commit Update.
For detailed information about this vulnerability and the fix, refer to the GitHub Security Advisory GHSA-phrq-pc6r-f6gh.
Workarounds
- Disable the SOAP API if not required for business operations (note: this reduces but does not eliminate all risk)
- Implement network-level access controls to restrict SOAP API access to trusted IP ranges only
- Deploy a web application firewall with rules to validate SOAP envelope parameter types
- Consider migrating to a non-MySQL database backend (PostgreSQL) which is not affected by this vulnerability
- Enable multi-factor authentication where supported to add an additional layer of protection
# Disable SOAP API in MantisBT config_inc.php
# Add or modify the following configuration option:
$g_webservice_enabled = OFF;
# Alternatively, block SOAP API at web server level (Apache example)
# Add to .htaccess or virtual host configuration:
<Location /api/soap/mantisconnect.php>
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
