CVE-2026-47156

CRITICALPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator

MantisBT 2.28.3 and earlier contains a critical authentication bypass in the SOAP API's mci_check_login() function. Any user knowing any valid cookie_string can authenticate as any other user (knowing their username), including the administrator, without knowing the target's password.

The vulnerability is exploitable with zero prior access on default MantisBT installations because self-registration is enabled by default ($g_allow_signup = ON). A self-registered user can use their own cookie_string (readable from their browser's MANTIS_STRING_COOKIE cookie after login) to impersonate the administrator via the SOAP API.

The REST API is NOT affected. The REST API's AuthMiddleware derives the username server-side from the API token or session cookie, so the username cannot be spoofed.

The Web UI is NOT affected. The Web UI authenticates via PHP session cookies (PHPSESSID) and validates the MANTIS_STRING_COOKIE against the logged-in user through auth_is_cookie_valid(). The username is derived server-side from the cookie, not supplied by the client.

Impact

  • Full administrator access to the SOAP API from zero prior access (with self-registration enabled, which is the default)
  • Read/write all issues including private issues and notes across all projects
  • Full data exfiltration of all bug reports, attachments, user accounts (id, name, email), and non-private configuration values via the 71 SOAP operations available
  • Destructive operations: delete projects, issues, attachments, tags, categories, and versions
  • Data manipulation: create/modify issues, impersonate reporters, manage project structure
  • Chains with other vulnerabilities: the SOAP admin access enables exploitation of SOAP vulnerabilities that require administrator privileges

Patches

  • https://github.com/mantisbt/mantisbt/commit/e3571c319b1721b41b0dc4b5b5203cbdcbe0c2ee

Workarounds

None

Resources

  • https://mantisbt.org/bugs/view.php?id=37121

Credits

MantisBT would like to thank McCaulay Hudson (@_McCaulay) of watchTowr for originally identifying and responsibly reporting the issue.

The vulnerability was subsequently discovered by other researchers, while the team was working on fixing and preparing the release. MantisBT credits them here, in chronological order of their reports:

  • Keitaro Yamazaki (@tyage)
  • Harrison Keating (@voraci0us)
  • Chandler Johnson (@chndlrx)
  • Bharat Devasani (@bharatdevasani)

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 15, 2026

Last Modified

July 15, 2026

Vendor Advisories for CVE-2026-47156(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 16:54 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-47156?
CVE-2026-47156 is a critical vulnerability published on July 15, 2026. MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator MantisBT 2.28.3 and earlier contains a critical authentication bypass in the SOAP API's mcichecklogin() function. Any user knowing any valid cookie_string can authenticate as any other user (knowing their username),…
When was CVE-2026-47156 disclosed?
CVE-2026-47156 was first published in the National Vulnerability Database on July 15, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-47156?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47156, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-47156

Explore →

Is Your Infrastructure Affected by CVE-2026-47156?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.