CVE-2026-30849: Authentication Bypass via Type Juggling in MantisBT SOAP API
Vulnerability ID: CVE-2026-30849
CVSS Score: 9.3
Published: 2026-03-23
Mantis Bug Tracker (MantisBT) versions prior to 2.28.1 are vulnerable to a critical authentication bypass vulnerability within the SOAP API. This flaw arises from a combination of missing type constraints in PHP and implicit type conversion in MySQL databases, allowing unauthenticated attackers to access any account given a valid username.
TL;DR
An unauthenticated remote attacker can bypass authentication in MantisBT < 2.28.1 by sending an integer zero as the password via the SOAP API, exploiting MySQL implicit type conversion to evaluate the password check as true.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-305
- Attack Vector: Network
- CVSS v4.0: 9.3
- Impact: Authentication Bypass / RCE
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
Affected Systems
- Mantis Bug Tracker (MantisBT) < 2.28.1 running on MySQL or MariaDB
-
Mantis Bug Tracker: < 2.28.1 (Fixed in:
2.28.1)
Code Analysis
Commit: b349e5c
Fix type hinting and null-safe handling in SOAP API to prevent authentication bypass
Mitigation Strategies
- Upgrade MantisBT to version 2.28.1 or newer.
- Disable the SOAP API via the configuration file if the API is not required.
- Implement WAF rules to detect and block explicit integer typing in SOAP password parameters.
Remediation Steps:
- Backup the MantisBT database and configuration files.
- Download the MantisBT 2.28.1 release.
- Deploy the updated application files over the existing installation.
- Verify that the application functions normally and that SOAP clients update to use string-based types if applicable.
- If patching is impossible, edit
config_inc.phpand add$g_enable_soap = OFF;.
References
Read the full report for CVE-2026-30849 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)