CVE-2026-33052 Overview
CVE-2026-33052 is an authorization bypass vulnerability in Mantis Bug Tracker (MantisBT), an open source issue tracking platform. The flaw affects versions 2.28.0 and 2.28.1 and stems from improper access control on the profile creation endpoint. A low-privileged authenticated user holding the add_profile_threshold permission can create a global profile by manipulating the user_id parameter in a profile creation request, bypassing the required manage_global_profile_threshold permission. The issue is classified under [CWE-639] Authorization Bypass Through User-Controlled Key. MantisBT version 2.28.2 resolves the vulnerability.
Critical Impact
Authenticated low-privileged users can escalate their effective permissions by creating global profiles they are not authorized to manage, undermining the permission threshold model in MantisBT.
Affected Products
- MantisBT version 2.28.0
- MantisBT version 2.28.1
- Fixed in MantisBT version 2.28.2
Discovery Timeline
- 2026-05-19 - CVE-2026-33052 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-33052
Vulnerability Analysis
MantisBT implements a permission threshold model where distinct capabilities gate user-scoped and global-scoped administrative actions. The add_profile_threshold permission authorizes a user to create a profile for themselves. The manage_global_profile_threshold permission is required to create or manage profiles available to all users. The vulnerability arises because the profile creation request accepts a user_id parameter that the server trusts without re-evaluating which permission threshold applies to the requested scope.
When a low-privileged user submits a profile creation request with a tampered user_id value indicating a global profile, the application proceeds with creation based solely on the add_profile_threshold check. The server fails to enforce the higher manage_global_profile_threshold requirement that the action actually demands. The result is a horizontal-to-vertical privilege boundary bypass within the MantisBT permission system.
Root Cause
The root cause is missing server-side authorization revalidation after the user_id parameter is consumed. The code path checks the requester's permission against the lower threshold and trusts user-supplied identifiers to determine the target scope. This pattern matches [CWE-639], where a user-controlled key changes the effective resource without a corresponding authorization check. The fix in commit 3f952e68fa864e0e60abc3e84adecf3cfa84c75e adds the missing threshold validation for global profile creation. See the GitHub Security Advisory GHSA-68w5-w573-q2r8 for the maintainer write-up.
Attack Vector
Exploitation requires an authenticated account on the target MantisBT instance with the add_profile_threshold permission assigned. The attacker intercepts a legitimate profile creation request and modifies the user_id parameter to target the global scope. No user interaction, social engineering, or chained vulnerabilities are required. Because the action is performed over the standard web interface, exploitation is network-reachable and leaves only normal HTTP request artifacts in logs.
No verified proof-of-concept code is publicly available. Refer to the MantisBT Bug Report #36974 and the upstream commit for the corrective code change.
Detection Methods for CVE-2026-33052
Indicators of Compromise
- Unexpected global profiles appearing in the MantisBT mantis_user_profile_table with the owning user_id set to 0 (global) created by accounts lacking manage_global_profile_threshold.
- HTTP POST requests to account_prof_update.php or manage_prof_create.php where the submitted user_id value differs from the authenticated session's user identifier.
- Audit log entries showing profile creation events initiated by low-privileged accounts.
Detection Strategies
- Review MantisBT access logs for profile creation endpoints and correlate the requesting account's permission level with the resulting profile scope.
- Compare the inventory of global profiles before and after upgrade to identify entries created during the vulnerable window.
- Hunt for parameter tampering patterns by inspecting request bodies for user_id values that do not match the session principal.
Monitoring Recommendations
- Enable verbose application logging in MantisBT and forward logs to a centralized analytics platform for long-term retention.
- Alert on profile creation events performed by users whose role does not include manage_global_profile_threshold.
- Monitor for sudden growth in the global profile inventory, which often indicates abuse of this class of bypass.
How to Mitigate CVE-2026-33052
Immediate Actions Required
- Upgrade all MantisBT instances running 2.28.0 or 2.28.1 to version 2.28.2 without delay.
- Audit existing global profiles and remove any that cannot be attributed to an administrator with manage_global_profile_threshold.
- Review user permission assignments and remove add_profile_threshold from accounts that do not require it.
Patch Information
The vulnerability is fixed in MantisBT 2.28.2. The corrective change is contained in commit 3f952e68fa864e0e60abc3e84adecf3cfa84c75e, which adds the missing manage_global_profile_threshold check before allowing global profile creation. Full details are published in the GitHub Security Advisory GHSA-68w5-w573-q2r8.
Workarounds
- Temporarily revoke the add_profile_threshold permission from non-administrator roles until the upgrade is applied.
- Restrict network access to the MantisBT administrative endpoints using a reverse proxy or web application firewall rule that blocks profile creation requests from non-admin user sessions.
- Place the application behind authentication-aware logging to capture and review every profile creation request during the mitigation window.
# Configuration example - upgrade MantisBT to the patched release
cd /var/www/mantisbt
wget https://github.com/mantisbt/mantisbt/releases/download/2.28.2/mantisbt-2.28.2.tar.gz
tar -xzf mantisbt-2.28.2.tar.gz
# Back up config_inc.php and custom files, then deploy 2.28.2
# Run the MantisBT admin upgrade script: /admin/install.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
