CVE Catalog

CVE-2026-58054

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

In MyBB 1.8.40, a limited administrator with user management permissions can assign any usergroup, including the Administrators group (gid 4). The verify_usergroup() function in the user module always returns true, allowing privilege escalation to full administrator permissions.

Risk Assessment

The organization is at risk of unauthorized privilege escalation by a user with limited admin panel access, potentially leading to full compromise of the MyBB system.

Recommendation

Immediately upgrade MyBB to version 1.8.41 or later, which includes a fix restricting usergroup assignment for limited administrators.

Original NVD description (English source)

MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS