{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mantisbt-2.x/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MantisBT (2.x)"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","privilege-escalation","web-vulnerability","mantisbt","cve"],"_cs_type":"advisory","_cs_vendors":["MantisBT"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, identified as CVE-2026-47156, has been discovered in MantisBT versions 2.28.3 and earlier. This flaw specifically impacts the \u003ccode\u003emci_check_login()\u003c/code\u003e function within the application's SOAP API. An attacker can leverage this vulnerability to gain full administrator privileges without needing the administrator's password. The exploitation relies on the attacker knowing any valid \u003ccode\u003ecookie_string\u003c/code\u003e (which can be their own, obtained via self-registration) and the target administrator's username. This zero-prior-access exploit is particularly potent in default MantisBT installations where self-registration is enabled, allowing attackers to easily obtain a valid \u003ccode\u003ecookie_string\u003c/code\u003e. The vulnerability enables comprehensive data exfiltration of bug reports, attachments, user accounts, and configuration data, alongside destructive actions such as deleting projects or issues. Neither the REST API nor the Web UI are affected by this specific flaw.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Self-Registration):\u003c/strong\u003e The attacker accesses a MantisBT instance where self-registration (\u003ccode\u003e$g_allow_signup = ON\u003c/code\u003e) is enabled by default.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Creation:\u003c/strong\u003e The attacker self-registers for a new user account on the MantisBT instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCookie Acquisition:\u003c/strong\u003e The attacker logs into their newly created account via the web UI and extracts their valid \u003ccode\u003eMANTIS_STRING_COOKIE\u003c/code\u003e from their browser's cookies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSOAP API Request Crafting:\u003c/strong\u003e Using the obtained \u003ccode\u003ecookie_string\u003c/code\u003e and the known username of a target administrator, the attacker crafts a malicious SOAP API request targeting the \u003ccode\u003emci_check_login()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Bypass:\u003c/strong\u003e The crafted SOAP API request is sent to the MantisBT server. The \u003ccode\u003emci_check_login()\u003c/code\u003e function, due to the vulnerability, fails to properly validate the \u003ccode\u003ecookie_string\u003c/code\u003e against the supplied username, granting the attacker authentication as the target administrator.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker is now authenticated as the administrator within the SOAP API context, effectively escalating privileges from a basic self-registered user to a full administrator.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Operations:\u003c/strong\u003e The attacker can then utilize the 71 available SOAP operations to perform various malicious activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e This leads to objectives such as full data exfiltration of bug reports, attachments, user accounts, and configuration details, or destructive actions like deleting projects, issues, attachments, tags, categories, and versions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-47156 grants attackers full administrator access to the MantisBT SOAP API from zero prior access, especially in default installations where self-registration is enabled. This level of access permits extensive data exfiltration, including all issues (public and private), notes, attachments, user accounts (IDs, names, emails), and non-private configuration values across all projects. Attackers can also perform destructive operations such as deleting projects, issues, attachments, tags, categories, and versions, or manipulate data by creating/modifying issues and managing project structures. This critical flaw allows for comprehensive compromise of the MantisBT instance and its contained data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-47156 immediately:\u003c/strong\u003e Update MantisBT to a version patched against \u003ca href=\"https://github.com/mantisbt/mantisbt/commit/e3571c319b1721b41b0dc4b5b5203cbdcbe0c2ee\"\u003eCVE-2026-47156\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable self-registration:\u003c/strong\u003e If not strictly required for your operational environment, disable \u003ccode\u003e$g_allow_signup\u003c/code\u003e in your MantisBT configuration to prevent unauthenticated users from easily obtaining a \u003ccode\u003ecookie_string\u003c/code\u003e for exploitation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor web server logs for suspicious SOAP API activity:\u003c/strong\u003e While no specific exploitation signature is provided, monitor web server logs for unusual or high volumes of requests to SOAP API endpoints, especially those involving \u003ccode\u003emci_check_login()\u003c/code\u003e, particularly from newly registered users or IP addresses not typically associated with administrative activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T16:47:18Z","date_published":"2026-07-15T16:47:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mantisbt-auth-bypass/","summary":"A critical authentication bypass vulnerability, CVE-2026-47156, exists in the SOAP API's mci_check_login() function of MantisBT versions 2.28.3 and earlier, allowing an unauthenticated attacker to impersonate any user, including an administrator, by knowing a valid cookie_string and the target username, without needing the target's password, which can lead to full administrator access, extensive data exfiltration, and destructive operations when default self-registration is enabled.","title":"MantisBT SOAP API Authentication Bypass and Privilege Escalation (CVE-2026-47156)","url":"https://feed.craftedsignal.io/briefs/2026-07-mantisbt-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - MantisBT (2.x)","version":"https://jsonfeed.org/version/1.1"}