MyBB 1.8.40 Limited Admin CP User-Manager to Full Administrator Privilege Escalation
by bikini (@ashdfrkl) — original discovery; mirrored via exploitarium · 2026-07-03
- Severity
- High
- CVE
- None assigned as of 2026-07-03 (see Notes — CVE-2026-45115 identifies a separate, already-patched MyBB issue)
- Category
- web
- Affected product
- MyBB forum software, Admin CP add-user flow
- Affected versions
- MyBB 1.8.40 (version code 1840), latest release as of source publication
- Disclosed
- 2026-07-03
- Patch status
- unpatched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-07-03 |
| Last Updated | 2026-06 |
| Author / Researcher | bikini (@ashdfrkl) — original discovery; mirrored via exploitarium |
| CVE / Advisory | None assigned as of 2026-07-03 (see Notes — CVE-2026-45115 identifies a separate, already-patched MyBB issue) |
| Category | web |
| Severity | High |
| CVSS Score | Not yet scored (no CVE/CVSS assigned) |
| Status | PoC |
| Tags | mybb, privilege-escalation, admin-cp, authorization-bypass, forum-software, php, access-control |
| Related | CVE-2026-45115 (different, already-patched MyBB buddy-list XSS chain) |
Affected Target
| Field | Value |
|---|---|
| Software / System | MyBB forum software, Admin CP add-user flow |
| Versions Affected | MyBB 1.8.40 (version code 1840), latest release as of source publication |
| Language / Platform | Python 3 (standard library only); targets PHP-based MyBB Admin CP over HTTP(S) |
| Authentication Required | Yes — requires an authenticated Admin CP account with only the user-users (manage users) permission |
| Network Access Required | Yes |
Summary
A non-super Admin CP account that has only the user-management permission (user-users = 1) can use the standard Admin CP “add user” form to create a brand-new account directly in the Administrator group (gid=4), because the underlying user data handler’s verify_usergroup() unconditionally returns true and never checks whether the acting ACP user is authorized to grant an Admin CP-capable group. The add-user form itself renders every non-guest usergroup, including Administrator, and the submitted usergroup/additionalgroups/displaygroup fields are forwarded to the handler without an authorization check. The newly created account fully inherits Administrator-group Admin CP permissions, including access to modules (such as Configuration) that the original limited account was explicitly denied — a complete privilege escalation from a narrowly scoped ACP role to full application administration. This PoC was published by a pseudonymous independent researcher (bikini/ashdfrkl) as part of the uncoordinated “exploitarium” vulnerability dump; it has not been vendor-confirmed, and the source README explicitly distinguishes this issue from CVE-2026-45115, which is a different, already-patched buddy/ignore-list username stored-XSS chain in the same MyBB version.
Vulnerability Details
Root Cause
MyBB’s Admin CP add-user flow forwards the submitted usergroup, additionalgroups, and displaygroup fields directly into the user data handler, and UserDataHandler::verify_usergroup() always returns true with no check that the acting Admin CP user is authorized to grant Admin CP-capable groups such as Administrator (gid=4).
Attack Vector
- Attacker obtains or is granted a limited Admin CP account with only the
user-userspermission (no super-admin, no admin-permissions module access). - Attacker confirms the account is denied access to unrelated modules (e.g.
config-settings), establishing the limited-privilege baseline. - Attacker uses the Admin CP “add user” form, which lists every non-guest usergroup including Administrator, and submits a new user with
usergroup=4. - The user data handler accepts the group assignment unconditionally via
verify_usergroup()returningtrue, and the new Administrator-group account is created. - Attacker logs in as the newly created account and confirms it now has full Administrator Admin CP access, including modules the original account could never reach.
Impact
Full MyBB application administration (configuration, user management, themes/templates, forum content, and all Admin CP functionality) obtainable by any account with only limited, narrowly-scoped Admin CP user-management access.
Environment / Lab Setup
Target: MyBB 1.8.40 (version code 1840) with a non-super Admin CP account holding only user-users=1
Attacker: Python 3 standard library only
Proof of Concept
PoC Script
See
mybb_limited_acp_to_admin.pyin this folder.
| |
The script logs into the Admin CP with the limited account, confirms it is denied access to an unrelated module, submits the add-user form to create a new gid=4 Administrator account, logs in as that new account, and confirms the same module is no longer denied — proving the privilege-escalation boundary crossing end-to-end.
Detection & Indicators of Compromise
Signs of compromise:
- New Administrator-group MyBB accounts appearing shortly after activity from a limited, non-super Admin CP account
- Admin CP audit/moderation logs showing user-creation events from accounts without super-admin privileges assigning privileged groups
- Unexplained changes to board configuration, themes, or templates traceable to a recently escalated account
Remediation
| Action | Detail |
|---|---|
| Primary fix | No vendor patch confirmed as of 2026-07-03 — monitor for advisory |
| Interim mitigation | Reject any primary, additional, or display group with Admin CP capability in add-user/edit-user/mass-update flows unless the acting user is a super administrator or holds an explicit high-trust group-grant permission; harden UserDataHandler::verify_usergroup() to enforce this instead of always returning true |
References
Notes
Mirrored from https://github.com/bikini/exploitarium (folder: mybb-limited-acp-to-admin) on 2026-07-03. No CVE has been assigned to this specific limited-ACP privilege-escalation issue as of ingestion. The source README explicitly clarifies that CVE-2026-45115 identifies a different, already-patched MyBB 1.8.40 issue (a regular-user buddy/ignore-list username stored-XSS chain leading to Admin CP compromise) and that this PoC targets a separate, still-unpatched limited-ACP-to-Administrator privilege-escalation flow in the same latest release. This is an uncoordinated disclosure by a pseudonymous researcher; treat with appropriate caution pending vendor confirmation.
| |