CVE-2026-58054 - MyBB limited ACP user management administrator escalation

CVE-2026-58054 + MyBB limited ACP user management administrator escalation + High + 2026-06-28

One-sentence business risk

A delegated user admin can promote accounts to full administrator, turning routine support permissions into site takeover.

Research notes

  • Root cause: MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler’s verify_usergroup() unconditionally returns true.
  • Affected versions: MyBB 1.8.40 limited Admin Control Panel user management.
  • Fixed / safe versions: vendor-patched MyBB release or local group-assignment allowlist patch.
  • Public exploit / PoC signal: public PoC or exploit details are referenced by NVD; use only safe regression tests and do not execute exploit payloads against production.
  • CVSS: 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Exact vulnerable code pattern

if (user.canManageUsers()) {
    target.setUsergroup(request.getInt("usergroup"));
}

Fixed / mitigated code pattern

if (user.canManageUsers()) {
    int group = request.getInt("usergroup");
    requireAllowedAssignableGroup(user, group);
    rejectIfGroupGrantsMorePrivilegeThan(user, group);
    target.setUsergroup(group);
}

Dependency or runtime update:

rg -n "preview(6|7)?\.php|archive\.php|course_year_section|\bsy\b" .
php -l preview.php preview6.php preview7.php archive.php
# deploy prepared-statement patch

Step-by-step integration guide

  1. Inventory MyBB in source, lockfiles, SBOMs, CI images, containers, deployment manifests, and managed runtimes.
  2. Upgrade or patch to vendor-patched MyBB release or local group-assignment allowlist patch; if no upstream package is available, apply the local guard shown above and track the vendor release as a blocking follow-up.
  3. Replace every vulnerable authz pattern with a fail-closed implementation that validates ownership, bounds, canonical paths, origin/session binding, or parser limits before acting.
  4. Add a regression test that reproduces the advisory shape safely and proves the request is rejected, bounded, or authorized.
  5. Deploy through canary, monitor auth, file, parser, crash, and CI-runner logs, then remove temporary edge blocks only after all runtimes are fixed.

Alternative mitigations

  • Disable the vulnerable feature path, decoder, plugin, runner backend, proxy agent, or route while the patch rolls out.
  • Add WAF/reverse-proxy rules for SQL metacharacters, traversal tokens, unsafe Docker flags, oversized/nested payloads, or unexpected session-origin transitions matching this trigger class.
  • Restrict egress and access to untrusted artifacts, SSH servers, media uploads, workflow execution, and administrative delegation until fixed versions are verified.
  • Rotate credentials and invalidate sessions if logs show the vulnerable path was reachable by untrusted users.

Detection signature

id: cve-2026-58054-mybb-limited-acp-user-management-administrator-e
source: NVD
package_or_product: "MyBB"
affected: "MyBB 1.8.40 limited Admin Control Panel user management"
fixed: "vendor-patched MyBB release or local group-assignment allowlist patch"
cvss: "7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
signals:
  - "authz"
  - "CVE-2026-58054"
  - "MyBB"
action: "upgrade, add a regression test, and verify deploy artifact"

Copy-paste skill

You are remediating CVE-2026-58054 (MyBB limited ACP user management administrator escalation) in this repository.

Produce a reviewer-ready PR or TRIAGE.md. Inventory MyBB across source, lockfiles, images, CI, deployment manifests, and SBOMs. Apply vendor-patched MyBB release or local group-assignment allowlist patch. Replace the vulnerable authz pattern with the fail-closed pattern, add a regression test for the advisory trigger, and document owner, rollout, rollback, and validation evidence. Do not run public exploit PoCs against production or expose secrets in logs.

Keywords, affected tech stack, and revenue tags

  • Keywords: CVE-2026-58054, authz, MyBB, NVD.
  • Affected tech stack: php/mysql.
  • Revenue tags: sellable_to_fintech, enterprise_blocker, high_priority_sla.

References