GHSA-68w5-w573-q2r8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-68w5-w573-q2r8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-68w5-w573-q2r8/GHSA-68w5-w573-q2r8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-68w5-w573-q2r8
- Aliases
-
- CVE-2026-33052
- Published
- 2026-05-11T17:58:50Z
- Modified
- 2026-05-11T18:17:19.954447Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- MantisBT Has Authorization Bypass in Global Profile Creation
- Details
-
MantisBT allows a low-privileged authenticated user having addprofilethreshold to create a global profile despite not having *manageglobalprofilethreshold*, by tampering with the userid parameter in a valid profile creation request.
Impact
Authentication bypass
Patches
- 3f952e68fa864e0e60abc3e84adecf3cfa84c75e
Workarounds
None
Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issues.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-11T17:58:50Z", "cwe_ids": [ "CWE-639" ], "severity": "MODERATE", "nvd_published_at": null }- References
-
- https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8
- https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e
- https://github.com/mantisbt/mantisbt
- https://github.com/mantisbt/mantisbt/releases/tag/release-2.28.2
- https://mantisbt.org/bugs/view.php?id=36974
Affected packages
Packagist / mantisbt/mantisbt
Package
- Name
- mantisbt/mantisbt
- Purl
- pkg:composer/mantisbt/mantisbt