CVE-2026-58054
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
In MyBB 1.8.40, a limited administrator with user management permissions can assign any usergroup, including the Administrators group (gid 4). The verify_usergroup() function in the user module always returns true, allowing privilege escalation to full administrator permissions.
Risk Assessment
The organization is at risk of unauthorized privilege escalation by a user with limited admin panel access, potentially leading to full compromise of the MyBB system.
Recommendation
Immediately upgrade MyBB to version 1.8.41 or later, which includes a fix restricting usergroup assignment for limited administrators.
Original NVD description (English source)
MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.

