{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/soap-api/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MantisBT"],"_cs_severities":["critical"],"_cs_tags":["mantisbt","authentication-bypass","soap-api"],"_cs_type":"advisory","_cs_vendors":["MantisBT"],"content_html":"\u003cp\u003eMantisBT, a widely used web-based bug tracking system, is susceptible to a critical authentication bypass vulnerability (CVE-2026-30849) affecting instances utilizing MySQL or compatible databases. This flaw stems from inadequate type checking on the password parameter within the SOAP API. Specifically, the vulnerability exists in MantisBT versions prior to 2.28.1. An attacker who knows a valid username can exploit this weakness to gain unauthorized access to the SOAP API, circumventing the need for the correct password. Other database backends are not affected due to their stricter type handling. Successful exploitation grants the attacker the ability to execute any API function accessible to the compromised user, posing a significant risk of data breaches, system compromise, and unauthorized modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable MantisBT instance running on MySQL or a compatible database.\u003c/li\u003e\n\u003cli\u003eAttacker obtains a valid username for the MantisBT instance (e.g., through OSINT or social engineering).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SOAP envelope containing the target username and a manipulated password parameter designed to exploit the type checking vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted SOAP request to the MantisBT instance's SOAP API endpoint.\u003c/li\u003e\n\u003cli\u003eThe vulnerable MantisBT instance improperly processes the password parameter due to insufficient type validation.\u003c/li\u003e\n\u003cli\u003eThe MantisBT instance authenticates the attacker as the targeted user without requiring the correct password.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the authenticated SOAP API session to execute privileged API functions.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates sensitive bug data, modifies bug reports, or performs other malicious actions within the MantisBT system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to a MantisBT instance. The impact includes potential data breaches involving sensitive bug reports, project information, and user data. Attackers can modify or delete bug reports, disrupt project workflows, or escalate their access to other systems connected to the MantisBT instance. While the exact number of affected MantisBT installations is unknown, the widespread use of MantisBT across various sectors suggests a potentially broad impact. Disabling the SOAP API mitigates the risk, but still allows the attacker to retrieve user account information including email address and real name.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade MantisBT to version 2.28.1 or later to patch CVE-2026-30849 and remediate the authentication bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, disable the SOAP API as a workaround, referencing the \u003ca href=\"https://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.config.api.disable\"\u003eMantisBT documentation\u003c/a\u003e .\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious SOAP API requests containing unusual password parameters indicative of exploitation attempts. Deploy a webserver rule to detect unusual password parameters in SOAP API requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-mantisbt-auth-bypass/","summary":"MantisBT instances running on MySQL are vulnerable to an authentication bypass in the SOAP API due to improper type checking on the password parameter, allowing attackers with a valid username to log in without the actual password.","title":"MantisBT Authentication Bypass via SOAP API on MySQL","url":"https://feed.craftedsignal.io/briefs/2024-01-mantisbt-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Soap-Api","version":"https://jsonfeed.org/version/1.1"}