CVE-2026-34406
Received Received - Intake
Privilege Escalation in APTRS via Writable is_superuser Field

Publication date: 2026-03-31

Last updated on: 2026-04-10

Assigner: GitHub, Inc.

Description
APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows Any user who can reach that endpoint and submit crafted permission to escalate their own account (or any other account) to superuser by including "is_superuser": true in the request body. The root cause is that CustomUserSerializer explicitly includes is_superuser in its fields list but omits it from read_only_fields, making it a writable field. The edit_user view performs no additional validation to prevent non-superusers from modifying this field. Once is_superuser is set to true, gaining unrestricted access to all application functionality without requiring re-authentication. This issue has been patched in version 2.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34406
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aptrs aptrs to 2.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring or testing the edit_user API endpoint (/api/auth/edituser/<pk>) for unauthorized attempts to escalate privileges by submitting a POST request with the "is_superuser": true field in the request body.

A practical approach is to attempt sending a crafted POST request to the endpoint with the is_superuser field set to true and observe if the account privileges escalate without proper authorization.

Example command using curl to test the vulnerability (replace <pk> and URL accordingly):

  • curl -X POST -H "Content-Type: application/json" -d '{"is_superuser": true}' https://<target-domain>/api/auth/edituser/<pk>

If the response indicates success and the user privileges are escalated, the system is vulnerable.

Executive Summary

The vulnerability exists in APTRS (Automated Penetration Testing Reporting System) versions prior to 2.0.1, specifically in the edit_user endpoint. Any user who can access this endpoint can escalate their own or any other user's account to superuser by submitting a crafted request that includes "is_superuser": true in the request body.

This happens because the CustomUserSerializer includes the is_superuser field as writable (not read-only), and the edit_user view does not validate or restrict changes to this field by non-superusers.

As a result, an attacker can gain unrestricted access to all application functionality without needing to re-authenticate. This vulnerability was fixed in version 2.0.1.

Impact Analysis

This vulnerability allows any user with access to the edit_user endpoint to escalate their privileges to superuser level.

With superuser privileges, an attacker gains unrestricted access to all application functionality, potentially compromising the entire system.

This could lead to unauthorized data access, modification, deletion, or other malicious activities within the application.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade APTRS to version 2.0.1 or later, where the issue has been patched.

Until the upgrade is applied, restrict access to the edit_user endpoint (POST /api/auth/edituser/<pk>) to trusted users only, as any user who can reach this endpoint can escalate privileges.

Compliance Impact

This vulnerability allows any user with access to the edit_user endpoint to escalate their privileges to superuser without proper authorization. Such unauthorized privilege escalation can lead to unrestricted access to sensitive data and system functionality.

This lack of access control and potential exposure of sensitive information could negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34406. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart