Skip to main content

MyBB EUVDEUVD-2026-39974

| CVE-2026-58054 HIGH
Improper Privilege Management (CWE-269)
2026-06-28 VulnCheck GHSA-cvxv-xfvj-jmc4
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Reachable over the network via the ACP but requires an existing privileged limited-admin account (PR:H); no user interaction, low complexity, and full takeover yields high C/I/A with unchanged scope.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 28, 2026 - 02:31 vuln.today
CVSS changed
Jun 28, 2026 - 02:22 NVD
7.2 (HIGH) 8.6 (HIGH)

DescriptionCVE.org

MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.

AnalysisAI

Privilege escalation in MyBB 1.8.40 lets a limited Admin Control Panel (ACP) user who holds only the delegated user-management permission promote any account into the Administrators usergroup (gid 4), gaining the full Administrator permission set. The flaw stems from the user module exposing the Administrators group as an assignable option while the datahandler's verify_usergroup() unconditionally returns true, performing no authorization check on the target group. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as limited ACP user
Delivery
Open user module create/edit form
Exploit
Select Administrators group (gid 4)
Execution
verify_usergroup() returns true, save
Impact
Account gains full Administrator permissions

Vulnerability AssessmentAI

Exploitation Exploitation requires an existing authenticated MyBB Admin Control Panel account that holds the delegated user-management permission (the ability to create or edit users via the user module); this is the exact precondition reflected by PR:H in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N) scored 8.6 reflects network reachability, low complexity, no user interaction, and high impact on confidentiality, integrity, and availability - but critically requires high privileges (PR:H), meaning the attacker must already be a trusted, authenticated limited ACP admin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A forum operator grants a moderator a limited ACP account with only the user-management permission to handle routine account edits. That moderator opens the user module, edits their own (or a confederate's) account, selects the Administrators group from the still-available usergroup dropdown, and saves - instantly gaining full administrator control over the board. …
Remediation No vendor-released patch version is identified in the available data, so monitor MyBB's official releases and the VulnCheck advisory (https://www.vulncheck.com/advisories/mybb-privilege-escalation-from-limited-acp-user-management-to-administrator) for an upstream fix and upgrade as soon as a patched 1.8.x release is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all delegated Admin Control Panel users with user-management permissions and immediately revoke or restrict permissions for non-critical roles. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Mybb

View all
CVE-2022-24734 HIGH POC
7.2 Mar 09

MyBB is a free and open source forum software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitabl

CVE-2017-16780 CRITICAL POC
9.8 Nov 10

The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration fi

CVE-2021-27946 HIGH POC
8.8 Mar 15

SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. Rated high severity (CVSS 8.8), this vulnerabilit

CVE-2021-27890 HIGH POC
8.8 Mar 15

SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files. Rated high severity (

CVE-2019-12830 HIGH POC
8.7 Jun 15

In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [vide

CVE-2017-7566 HIGH POC
7.7 Apr 06

MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism. Rated high severity (CVSS 7.7), this

CVE-2014-9240 HIGH POC
7.5 Dec 03

SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to ex

CVE-2025-29458 HIGH POC
7.6 Apr 17

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. Rated h

CVE-2025-29457 HIGH POC
7.6 Apr 17

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. Rated

CVE-2025-29459 HIGH POC
7.6 Apr 17

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. Rated high sever

CVE-2012-5909 HIGH POC
7.5 Nov 17

SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers

CVE-2022-39265 HIGH POC
7.2 Oct 06

MyBB is a free and open source forum software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitabl

Share

EUVD-2026-39974 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy