CVE-2026-34406
Privilege Escalation in APTRS via Writable is_superuser Field
Publication date: 2026-03-31
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aptrs | aptrs | to 2.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows any user with access to the edit_user endpoint to escalate their privileges to superuser without proper authorization. Such unauthorized privilege escalation can lead to unrestricted access to sensitive data and system functionality.
This lack of access control and potential exposure of sensitive information could negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.
Can you explain this vulnerability to me?
The vulnerability exists in APTRS (Automated Penetration Testing Reporting System) versions prior to 2.0.1, specifically in the edit_user endpoint. Any user who can access this endpoint can escalate their own or any other user's account to superuser by submitting a crafted request that includes "is_superuser": true in the request body.
This happens because the CustomUserSerializer includes the is_superuser field as writable (not read-only), and the edit_user view does not validate or restrict changes to this field by non-superusers.
As a result, an attacker can gain unrestricted access to all application functionality without needing to re-authenticate. This vulnerability was fixed in version 2.0.1.
How can this vulnerability impact me? :
This vulnerability allows any user with access to the edit_user endpoint to escalate their privileges to superuser level.
With superuser privileges, an attacker gains unrestricted access to all application functionality, potentially compromising the entire system.
This could lead to unauthorized data access, modification, deletion, or other malicious activities within the application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade APTRS to version 2.0.1 or later, where the issue has been patched.
Until the upgrade is applied, restrict access to the edit_user endpoint (POST /api/auth/edituser/<pk>) to trusted users only, as any user who can reach this endpoint can escalate privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring or testing the edit_user API endpoint (/api/auth/edituser/<pk>) for unauthorized attempts to escalate privileges by submitting a POST request with the "is_superuser": true field in the request body.
A practical approach is to attempt sending a crafted POST request to the endpoint with the is_superuser field set to true and observe if the account privileges escalate without proper authorization.
Example command using curl to test the vulnerability (replace <pk> and URL accordingly):
- curl -X POST -H "Content-Type: application/json" -d '{"is_superuser": true}' https://<target-domain>/api/auth/edituser/<pk>
If the response indicates success and the user privileges are escalated, the system is vulnerable.