CVE-2026-58054
MyBB - Privilege Escalation from Limited ACP User Management to Administrator
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 8.6EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
28 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
MyBB · MyBBpublic PoCs found — 1
cve_referencegithub.com/bikini/exploitarium/tree/main/mybb-limited-acp-to-adminunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →