Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
MantisBT allows a low-privileged authenticated user having *add_profile_threshold* to create a global profile despite not having *manage_global_profile_threshold*, by tampering with the user_id parameter in a valid profile creation request.
Impact
Authentication bypass
Patches
- 3f952e68fa864e0e60abc3e84adecf3cfa84c75e
Workarounds
None
Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issues.
AnalysisAI
MantisBT 2.28.0-2.28.1 allows authenticated users with add_profile_threshold permission to create global profiles by tampering with the user_id parameter, bypassing the manage_global_profile_threshold authorization check. An attacker with low-privileged authentication can escalate their profile creation capabilities to global scope via direct parameter manipulation in the profile creation request.
Technical ContextAI
MantisBT is a PHP-based issue tracking system (composer package: mantisbt/mantisbt). The vulnerability exists in the account profile creation mechanism, specifically in account_prof_update.php. The root cause (CWE-639: Authorization Bypass Through User-Controlled Key) stems from insufficient authorization validation on the user_id parameter. The code incorrectly evaluated the condition for enforcing manage_global_profile_threshold: it checked if user_id was NOT equal to ALL_USERS before requiring the elevated permission, when it should have checked if user_id WAS equal to ALL_USERS. This logic inversion allows a low-privileged user with add_profile_threshold to submit a profile creation request with user_id set to ALL_USERS and bypass the global profile authorization check entirely.
RemediationAI
Upgrade MantisBT to version 2.28.2 or later immediately. The vendor-released patch is confirmed in commit 3f952e68fa864e0e60abc3e84adecf3cfa84c75e and released in MantisBT 2.28.2 (https://github.com/mantisbt/mantisbt/releases/tag/release-2.28.2). The fix corrects the logic in account_prof_update.php to properly enforce manage_global_profile_threshold when user_id equals ALL_USERS. No workarounds are available; patch installation is the only supported remediation. For environments unable to upgrade immediately, restrict access to account_prof_update.php at the web server level or disable profile management features via MantisBT configuration, though this may impact legitimate functionality and requires careful change management.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30820
GHSA-68w5-w573-q2r8