Executive Summary

CVE-2026-33052 is an authorization bypass vulnerability in Mantis Bug Tracker (MantisBT) versions 2.28.0 and 2.28.1. It allows a low-privileged authenticated user who has the permission to create personal profiles (add_profile_threshold) to create a global profile without having the required manage_global_profile_threshold permission. This is done by tampering with the user_id parameter in a profile creation request, specifically by setting user_id to 0 (ALL_USERS), which bypasses the intended access control checks.

The root cause was a missing access level check in the account_prof_update.php file, which failed to enforce the proper authorization before allowing global profile creation. The issue was fixed in version 2.28.2 by adding a call to access_ensure_global_level() to ensure only users with the correct global access level can create global profiles.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker with low privileges to escalate their permissions and create unauthorized global profiles within the MantisBT system. This compromises system integrity because global profiles can affect multiple users or system-wide settings.

Such unauthorized global profiles could potentially be used to perform unauthorized modifications or actions, leading to further security risks or misuse of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized creation of global profiles in MantisBT versions 2.28.0 and 2.28.1. Specifically, detection involves checking for requests to the profile creation endpoint where the user_id parameter is set to 0 (ALL_USERS), which indicates an attempt to create a global profile.

You can look for suspicious HTTP POST requests to the account_prof_update.php file with the user_id parameter set to 0. For example, using network monitoring or web server logs, filter for requests containing 'user_id=0' in the POST data.

Example command to search web server logs for such attempts (assuming Apache logs):

• grep 'user_id=0' /var/log/apache2/access.log

Additionally, you can use tools like curl or wget to simulate such requests for testing detection mechanisms.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade MantisBT to version 2.28.2 or later, where this vulnerability has been fixed by enforcing proper access control checks.

If upgrading immediately is not possible, restrict access to the profile creation functionality to trusted users only and monitor for suspicious activity involving the user_id parameter.

No workarounds are currently available, so patching is the recommended and effective mitigation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a low-privileged authenticated user to bypass authorization controls and create global profiles without the required permissions, potentially leading to unauthorized modifications within the MantisBT system.

Such unauthorized privilege escalation and potential unauthorized data changes could impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data to ensure data integrity and confidentiality.

By allowing unauthorized global profile creation, the vulnerability could undermine the enforcement of access policies and audit controls necessary for regulatory compliance.

Useful 0 Not Useful 0