CVE-2026-33052

UNKNOWN 0.0

MantisBT: Authorization Bypass in Global Profile Creation

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the "add_profile_threshold" permission to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request. This issue has been fixed in version 2.28.2.

CWE	CWE-639
Vendor	mantisbt
Product	mantisbt
Published	May 19, 2026
Last Updated	May 19, 2026

Stay Ahead of the Next One

Get instant alerts for mantisbt mantisbt

Be the first to know when new unknown vulnerabilities affecting mantisbt mantisbt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

mantisbt / mantisbt

>= 2.28.0, < 2.28.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8 github.com: https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e mantisbt.org: https://mantisbt.org/bugs/view.php?id=36974