Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
5.3

CVE-2026-33052: MantisBT Allows Low-Privilege Users to Create Global Profiles

GHSA-68w5-w573-q2r8 CVE-2026-33052 GHSA-68w5-w573-q2r8
Summary

A security issue in MantisBT allows a low-privileged user to create a global profile, potentially giving them access to sensitive information. This issue affects users of MantisBT, and it's recommended to apply the available patch to prevent unauthorized access. Users should check for and apply the latest updates to ensure their system is secure.

What to do
  • Update mantisbt mantisbt to version 2.28.2.
  • Update mantisbt mantisbt/mantisbt to version 2.28.2.
Affected software
Ecosystem VendorProductAffected versions
composer mantisbt mantisbt >= 2.28.0, < 2.28.2
Fix: upgrade to 2.28.2
Packagist mantisbt mantisbt/mantisbt >= 2.28.0, < 2.28.2
Fix: upgrade to 2.28.2
Original title
MantisBT Has Authorization Bypass in Global Profile Creation
Original description
MantisBT allows a low-privileged authenticated user having *add_profile_threshold* to create a global profile despite not having *manage_global_profile_threshold*, by tampering with the user_id parameter in a valid profile creation request.

### Impact
Authentication bypass

### Patches
- 3f952e68fa864e0e60abc3e84adecf3cfa84c75e

### Workarounds
None

### Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issues.
ghsa CVSS4.0 5.3
Vulnerability type
CWE-639 Authorization Bypass Through User-Controlled Key
Published: 11 May 2026 · Updated: 15 Jun 2026 · First seen: 11 May 2026