CVE-2026-33052
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the "add_profile_threshold" permission to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request. This issue has been fixed in version 2.28.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MantisBT 2.28.0 and 2.28.1 allow low-privileged users to create global profiles by tampering with the user_id parameter, bypassing the intended permission check.
The vulnerability is an authorization bypass in the profile creation handler of Mantis Bug Tracker (MantisBT). The intended permission model distinguishes between personal profile creation, controlled by the add_profile_threshold permission, and global profile management, controlled by the manage_global_profile_threshold permission [1]. In vulnerable versions 2.28.0 and 2.28.1, the file account_prof_update.php at line 72 only performs a permission check for personal profiles when the user_id parameter is not equal to ALL_USERS (defined as 0). If an attacker submits user_id=0, the check is skipped entirely, and profile_create() is called directly with that user ID [4].
Exploitation requires a low-privileged authenticated user who has been granted the add_profile_threshold permission (e.g., a REPORTER role) [4]. The attacker does not need any additional privileges or special network position—a standard web request to the profile update page with a tampered user_id parameter is sufficient [1]. The attack vector is network-based, and no complex conditions or target-specific customization are required [1].
A successful exploit allows the attacker to create a global profile that is visible to all users, bypassing the manage_global_profile_threshold permission which should be required for such operations [4]. This can lead to unauthorized modification of shared configuration data within the MantisBT installation, potentially impacting all users of the system.
The vulnerability has been fixed in MantisBT version 2.28.2 [3]. Users are strongly advised to upgrade immediately, as no workaround is mentioned in the advisories. The fix ensures that the proper authorization check is performed regardless of the user_id value [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | >= 2.28.0, < 2.28.2 | 2.28.2 |
Affected products
2Patches
13f952e68fa86Only authorized users can create global profiles
1 file changed · +3 −1
account_prof_update.php+3 −1 modified@@ -79,7 +79,9 @@ $f_description = gpc_get_string( 'description' ); $t_user_id = gpc_get_int( 'user_id' ); - if( ALL_USERS != $t_user_id ) { + if( ALL_USERS == $t_user_id ) { + access_ensure_global_level( config_get( 'manage_global_profile_threshold' ) ); + } else { $t_user_id = auth_get_current_user_id(); access_ensure_global_level( config_get( 'add_profile_threshold' ), $t_user_id ); }
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-68w5-w573-q2r8ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75envdWEB
- github.com/mantisbt/mantisbt/releases/tag/release-2.28.2ghsaWEB
- github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8nvdWEB
- mantisbt.org/bugs/view.phpnvdWEB
News mentions
0No linked articles in our index yet.