Description
MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.
Published: 2026-06-28
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MyBB 1.8.40 allows a limited Admin Control Panel user with only the delegated user‑management permission to assign any usergroup, including the Administrators group (gid 4). The user module’s verify_usergroup() always returns true, so the limited user can elevate their account to full Administrator status, gaining complete control of the site; this flaw represents an instance of insufficient privilege management (CWE‑269).

Affected Systems

The affected product is MyBB, version 1.8.40. Only this version is known to contain the flaw; other releases are assumed to be unaffected unless otherwise noted.

Risk and Exploitability

The flaw has a CVSS score of 8.6, indicating a high severity while no EPSS score is published. It is not listed in CISA KEV. Exploitation requires access to the web‑based Admin Control Panel by an account that already has delegated user‑management rights, making the attack vector a web‑based privilege escalation that can be performed by authenticated users with limited privileges.

Generated by OpenCVE AI on June 28, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MyBB to a version that implements proper usergroup validation, addressing the insufficient privilege management flaw (CWE‑269).
  • Restrict or revoke the delegated user‑management permission from all ACP users who do not need it, ensuring only administrators can assign user groups.
  • Validate that non‑administrator accounts can no longer assign the Administrators group after the changes.

Generated by OpenCVE AI on June 28, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.
Title MyBB - Privilege Escalation from Limited ACP User Management to Administrator
First Time appeared Mybb
Mybb mybb
Weaknesses CWE-269
CPEs cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*
Vendors & Products Mybb
Mybb mybb
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mybb Mybb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-28T01:32:56.492Z

Reserved: 2026-06-28T00:55:25.426Z

Link: CVE-2026-58054

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T04:00:12Z

Weaknesses
  • CWE-269

    Improper Privilege Management