CVE-2026-30849: MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL

March 23, 2026 (updated March 25, 2026)

Mantis Bug Tracker instances running on MySQL and compatible databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of improper type checking on the password parameter.

Other database backends are not affected, as they do not perform implicit type conversion from string to integer.

References

github.com/advisories/GHSA-phrq-pc6r-f6gh
github.com/mantisbt/mantisbt
github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f
github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh
nvd.nist.gov/vuln/detail/CVE-2026-30849

Code Behaviors & Features

Detect and mitigate CVE-2026-30849 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →