VYPR
← All advisories
Critical severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026

MantisBT SOAP API has an authentication bypass vulnerability on MySQL

CVE-2026-30849

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. Version 2.28.1 contains a patch. Disabling the SOAP API significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MantisBT SOAP API authentication bypass via improper type checking on MySQL; attackers with a username can login without a password.

Root

Cause Versions of MantisBT prior to 2.28.1 running on MySQL family databases are vulnerable to an authentication bypass in the SOAP API. The issue stems from improper type checking on the password parameter in the mci_check_login() function [1]. MySQL performs implicit type conversion from string to integer, allowing crafted inputs to bypass authentication checks [4]. Other databases are unaffected as they do not perform such conversion.

Exploitation

An attacker who knows a victim's username can craft a malicious SOAP envelope to exploit the type conversion. By sending a specially crafted password value (e.g., a numeric string or empty string), the attacker can authenticate as the victim without knowing the actual password [1][4]. The attack requires access to the SOAP API endpoint; no other prerequisites are needed.

Impact

Successful exploitation allows the attacker to log in as any known user and execute any SOAP API function that the victim's account has access to. This includes the ability to retrieve sensitive user account information such as email addresses and real names [1][4]. The vulnerability can lead to unauthorized access to issue tracker data and functionality.

Mitigation

Version 2.28.1 contains a patch that adds proper type declarations to the mci_check_login() parameters, preventing the bypass [3]. As a workaround, disabling the SOAP API reduces the risk, but does not fully prevent the attacker from retrieving user account information via the SOAP API [4]. Users are strongly advised to upgrade to the patched version.

References
  1. NVD - CVE-2026-30849
  2. Add type definition to mci_check_login()'s params · mantisbt/mantisbt@b349e5c
  3. Authentication bypass vulnerability in the MantisBT SOAP API on MySQL

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mantisbt/mantisbtPackagist
< 2.28.12.28.1

Affected products

2
  • Mantisbt/Mantisbtllm-fuzzy2 versions
    <2.28.1+ 1 more
    • (no CPE)range: <2.28.1
    • (no CPE)range: < 2.28.1

Patches

1
b349e5c890ee

Add type definition to mci_check_login()'s params

https://github.com/mantisbt/mantisbtDamien RegadMar 6, 2026via ghsa
commit
1 file changed · +8 6
  • api/soap/mc_api.php+8 6 modified
    @@ -449,13 +449,13 @@ function mci_is_mantis_offline() {
 /**
  * Handle a soap API login.
  *
- * @param string $p_username Login username.
- * @param string $p_password Login password.
+ * @param string|null $p_username Login username.
+ * @param string|null $p_password Login password.
  *
  * @return int|false return user_id if successful, otherwise false.
  * @throws ClientException
  */
-function mci_check_login( $p_username, $p_password ) {
+function mci_check_login( ?string $p_username, ?string $p_password ) {
 	static $s_already_called = false;
 
 	if( $s_already_called === true ) {
@@ -468,11 +468,13 @@ function mci_check_login( $p_username, $p_password ) {
 		return false;
 	}
 
+	$p_username ??= '';
+
 	# Must not pass in null password, otherwise, authentication will be by-passed
 	# by auth_attempt_script_login().
-	$t_password = ( $p_password === null ) ? '' : $p_password;
+	$p_password ??= '';
 
-	if( api_token_validate( $p_username, $t_password ) ) {
+	if( api_token_validate( $p_username, $p_password ) ) {
 		# Token is valid, then login the user without worrying about a password.
 		if( auth_attempt_script_login( $p_username ) === false ) {
 			return false;
@@ -487,7 +489,7 @@ function mci_check_login( $p_username, $p_password ) {
 			}
 		} else {
 			# Use regular passwords
-			if( auth_attempt_script_login( $p_username, $t_password ) === false ) {
+			if( auth_attempt_script_login( $p_username, $p_password ) === false ) {
 				return false;
 			}
 		}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.