CVE-2026-44987
Privilege Escalation in SysReptor via Email Manipulation
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sysreptor | sysreptor | to 2026.29 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects SysReptor, a pentest reporting platform. Before version 2026.29, users with "User Admin" permissions could change the email addresses of users with "Superuser" permissions. If the "Forgot Password" feature is enabled, these User Admins could reset the Superusers' passwords and log in as them, provided the Superusers did not have multi-factor authentication (MFA) enabled.
Once authenticated as a Superuser, the attacker could access the Django backend or modify SysReptor settings. Additionally, User Admins can assign themselves "Project Admin" permissions, allowing access to all pentest projects, which is an intentional design feature.
This vulnerability was fixed in version 2026.29.
How can this vulnerability impact me? :
The vulnerability allows users with User Admin permissions to escalate their privileges by resetting Superuser passwords and gaining full Superuser access if MFA is not enabled. This can lead to unauthorized access to the backend administration interface and the ability to change system settings.
Since User Admins can assign themselves Project Admin permissions, they could also access all pentest projects, potentially exposing sensitive pentest data and reports.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade SysReptor to version 2026.29 or later, where the issue has been patched.
Additionally, ensure that the "Forgot Password" functionality is disabled if not needed, as it is non-default and its presence enables exploitation.
Enforce Multi-Factor Authentication (MFA) for all Superuser accounts to prevent unauthorized password resets and authentication.
Review and restrict "User Admin" permissions to trusted users only, as these permissions allow changing Superuser email addresses and potentially resetting their passwords.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows users with "User Admin" permissions to change email addresses and reset passwords of "Superuser" accounts if the "Forgot Password" functionality is enabled and the Superuser has no MFA. This could lead to unauthorized access to sensitive pentest projects and backend settings.
Such unauthorized access could potentially lead to exposure or manipulation of sensitive data, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls and protection of sensitive information.
However, the provided information does not explicitly state the direct impact on compliance with these standards.