CVE-2026-33052 mantisbt CVE debrief

Who should care

MantisBT administrators, security teams tracking open-source issue tracker vulnerabilities, and organizations using MantisBT for internal bug tracking with role-based access controls.

Technical summary

In MantisBT versions 2.28.0 and 2.28.1, the profile creation endpoint fails to properly validate that the user_id parameter matches the session user when determining profile scope. A user with add_profile_threshold permission can manipulate this parameter to create profiles with global scope (user_id=0 or administrator ID) despite lacking manage_global_profile_threshold. The vulnerability stems from missing authorization checks between the permission threshold verification and the actual profile creation operation. The fix in 2.28.2 adds proper validation to ensure global profile creation requires manage_global_profile_threshold regardless of user_id parameter tampering.

Defensive priority

medium

Recommended defensive actions

• Upgrade to MantisBT 2.28.2 or later.
• Review global profiles for unauthorized entries created by non-administrative users.
• Audit user_id parameter handling in profile creation workflows.
• Verify role-based access controls enforce manage_global_profile_threshold for global profile creation.

Evidence notes

NVD record shows CVSS 4.0 vector and references GitHub advisory GHSA-68w5-w573-q2r8, commit 3f952e68fa864e0e60abc3e84adecf3cfa84c75e, and MantisBT bug 36974. CWE-639 (Authorization Bypass Through User-Controlled Key) identified.

Official resources