Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Reachable over the network via the ACP but requires an existing privileged limited-admin account (PR:H); no user interaction, low complexity, and full takeover yields high C/I/A with unchanged scope.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.
AnalysisAI
Privilege escalation in MyBB 1.8.40 lets a limited Admin Control Panel (ACP) user who holds only the delegated user-management permission promote any account into the Administrators usergroup (gid 4), gaining the full Administrator permission set. The flaw stems from the user module exposing the Administrators group as an assignable option while the datahandler's verify_usergroup() unconditionally returns true, performing no authorization check on the target group. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an existing authenticated MyBB Admin Control Panel account that holds the delegated user-management permission (the ability to create or edit users via the user module); this is the exact precondition reflected by PR:H in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N) scored 8.6 reflects network reachability, low complexity, no user interaction, and high impact on confidentiality, integrity, and availability - but critically requires high privileges (PR:H), meaning the attacker must already be a trusted, authenticated limited ACP admin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A forum operator grants a moderator a limited ACP account with only the user-management permission to handle routine account edits. That moderator opens the user module, edits their own (or a confederate's) account, selects the Administrators group from the still-available usergroup dropdown, and saves - instantly gaining full administrator control over the board. … |
| Remediation | No vendor-released patch version is identified in the available data, so monitor MyBB's official releases and the VulnCheck advisory (https://www.vulncheck.com/advisories/mybb-privilege-escalation-from-limited-acp-user-management-to-administrator) for an upstream fix and upgrade as soon as a patched 1.8.x release is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all delegated Admin Control Panel users with user-management permissions and immediately revoke or restrict permissions for non-critical roles. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
MyBB is a free and open source forum software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitabl
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration fi
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. Rated high severity (CVSS 8.8), this vulnerabilit
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files. Rated high severity (
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [vide
MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism. Rated high severity (CVSS 7.7), this
SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to ex
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. Rated h
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. Rated
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. Rated high sever
SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers
MyBB is a free and open source forum software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitabl
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39974
GHSA-cvxv-xfvj-jmc4