cbcvebase.
CVE-2026-30849
published 2026-03-23

CVE-2026-30849: Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.41%
33.0th percentile
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. Version 2.28.1 contains a patch. Disabling the SOAP API significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name.

Affected

2 ranges
VendorProductVersion rangeFixed in
mantisbtmantisbt< 2.28.12.28.1
mantisbtmantisbt>= 0 < 2.28.12.28.1

Detection & IOCsextracted from sources · hover to see the quote

  • Authentication bypass via crafted SOAP envelope targeting the SOAP API password parameter — look for SOAP requests where the password field contains a non-string (integer/numeric) type value rather than a standard string
  • Vulnerability is specific to MantisBT SOAP API on MySQL family database backends due to implicit type conversion from string to integer on the password parameter — detections should focus on MantisBT instances backed by MySQL/MariaDB
  • Monitor MantisBT SOAP API authentication events for successful logins followed by API function calls, especially where the password parameter type in the SOAP envelope is numeric/integer rather than a string
  • ·Disabling the SOAP API reduces exploitation risk but does not fully eliminate it — user account information (email, real name) can still be retrieved even with SOAP API disabled
  • ·Only MantisBT versions prior to 2.28.1 are affected; patched version is 2.28.1
  • ·Only MySQL family database backends are vulnerable due to implicit type coercion behavior; PostgreSQL and other backends are not affected

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.