CVE-2026-58054 - MyBB limited ACP user group privilege escalation

CVE-2026-58054 - MyBB limited ACP user group privilege escalation - High - 2026-06-28

Business risk: A delegated helpdesk/admin user can promote any account to full forum administrator.

Root cause: The user module exposes gid 4 and verify_usergroup accepts assignment without checking whether the acting admin may grant that group.

Affected versions

  • Vulnerable: MyBB 1.8.40 delegated Admin Control Panel user-management flows.
  • Fixed / safe target: Upgrade/backport a fix that prevents limited ACP users from assigning privileged groups unless explicitly authorized.
  • CVSS: 7.2 (High)

Exact vulnerable code pattern

$user = array('uid' => $uid, 'usergroup' => (int) $mybb->input['usergroup']);
$userhandler->set_data($user);
$userhandler->validate_user();
$userhandler->update_user();

Fixed / mitigated code pattern

$targetGroup = (int) $mybb->input['usergroup'];
if (is_privileged_group($targetGroup) && !admin_can_grant_group($mybb->user, $targetGroup)) {
    admin_redirect('index.php?module=user-users');
}
$userhandler->set_data(array('uid' => $uid, 'usergroup' => $targetGroup));

Step-by-step integration guide

  1. Inventory MyBB 1.8.40 installs and forks.
  2. Upgrade/backport the ACP group-assignment authorization fix.
  3. Remove delegated user-management permission from limited ACP accounts until patched.
  4. Audit recent assignments to gid 4.
  5. Add tests proving limited admins cannot grant Administrator.

Alternative mitigations

  • Restrict ACP access by IP/VPN.
  • Temporarily remove user-management permission from non-owner ACP roles.
  • Alert on new Administrator group memberships.

Detection signature

rg -n "verify_usergroup|usergroup.*4|admin_can_grant|module=user-users|MyBB" .

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-58054: MyBB limited ACP user group privilege escalation.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-58054 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, mybb, php, authorization, privilege-escalation, sellable_to_hosting, enterprise_blocker, high
  • Affected tech stack: php
  • Revenue tags: sellable_to_hosting, enterprise_blocker

References