CVE-2026-30849
Published: 23 March 2026
Summary
CVE-2026-30849 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Mantisbt Mantisbt. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of the patch in MantisBT version 2.28.1 directly remediates the authentication bypass vulnerability in the SOAP API.
Validating the password parameter in SOAP API inputs prevents the improper type checking exploit that enables authentication bypass on MySQL backends.
Disabling the unnecessary SOAP API functionality eliminates the primary attack vector for this authentication bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in the public-facing MantisBT SOAP API, directly enabling exploitation of a public-facing application.
NVD Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the…
more
password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. Version 2.28.1 contains a patch. Disabling the SOAP API significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name.
Deeper analysisAI
Mantis Bug Tracker (MantisBT), an open source issue tracker, in versions prior to 2.28.1 running on MySQL family databases, is affected by CVE-2026-30849, an authentication bypass vulnerability in the SOAP API. The flaw arises from improper type checking on the password parameter, exploiting MySQL's implicit conversion from string to integer, which does not occur with other database backends.
A remote, unauthenticated attacker who knows a target user's username can send a crafted SOAP envelope to bypass authentication and log in as that user without the correct password. This allows execution of any SOAP API functions accessible to the victim's account, potentially leading to high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-305.
MantisBT version 2.28.1 includes a patch addressing the issue. Disabling the SOAP API significantly reduces risk, though it may still permit retrieval of user account information such as email addresses and real names. Additional details are available in the GitHub security advisory at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh and the patch commit at https://github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f.
Details
- CWE(s)