Product
A critical authentication bypass vulnerability, CVE-2026-47156, exists in the SOAP API's mci_check_login() function of MantisBT versions 2.28.3 and earlier, allowing an unauthenticated attacker to impersonate any user, including an administrator, by knowing a valid cookie_string and the target username, without needing the target's password, which can lead to full administrator access, extensive data exfiltration, and destructive operations when default self-registration is enabled.