Critical SOAP API auth bypass patched in MantisBT on MySQL
TL;DR — A MySQL-only SOAP API auth bypass in MantisBT allows passwordless login as any known username, enabling attackers to invoke SOAP API functions under the victim’s account.
What happened
Mantis Bug Tracker (MantisBT) is an open-source issue tracker used to manage bugs, work items, and project workflows.
CVE-2026-30849 describes a critical authentication bypass in the MantisBT SOAP API affecting instances backed by MySQL-family databases. The CVE record attributes the bypass to improper type checking on the password parameter, noting that other database backends are not affected because they don’t perform the same implicit type conversion behavior.
Per the CVE description, an attacker who knows a victim’s username can use a crafted SOAP envelope to authenticate to the SOAP API without the actual password, and then execute any SOAP API function permitted by that victim’s account.
This is a high-priority pattern for platform teams because “type confusion / type juggling” auth bugs tend to be easy to exploit remotely, and SOAP endpoints are often left enabled for integrations long after they’re no longer actively monitored.
Who is impacted
- MantisBT instances running on MySQL and compatible databases.
- Versions
< 2.28.1are affected (per the CVE record).
| Deployment | Affected versions (per CVE record) | Patched versions (per CVE/GitHub advisory) |
|---|---|---|
| MantisBT + MySQL-family DB | < 2.28.1 | 2.28.1 |
| MantisBT + non-MySQL DB backends | Not affected (per CVE record) | N/A |
Note: the linked GitHub Security Advisory page lists affected versions as <= 2.28.1 while also listing 2.28.1 as patched; treat the CVE record’s < 2.28.1 as the consistent affected range unless your internal validation indicates otherwise.
What to do now
- Follow vendor remediation guidance and apply the vendor’s patched release:
"Version 2.28.1 contains a patch."
- If you can’t patch immediately, apply the vendor workaround guidance to reduce exposure:
"Disabling the SOAP API significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name."
- Inventory where SOAP API access is enabled (including “internal-only” deployments) and validate whether it’s reachable from untrusted networks.
- Treat this as an account-compromise risk: review SOAP API access logs (if available) and validate for unusual API calls under legitimate usernames.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.