MantisBT 2.28.0/2.28.1 Global Profile Creation via tampered user_id (CVE-2026-33052)
CVE-2026-33052 Published on May 19, 2026
MantisBT: Authorization Bypass in Global Profile Creation
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the "add_profile_threshold" permission to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request. This issue has been fixed in version 2.28.2.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-33052 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2026-33052
Want to know whenever a new CVE is published for MantisBT? stack.watch will email you.
Affected Versions
mantisbt Version >= 2.28.0, < 2.28.2 is affected by CVE-2026-33052Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.