CVE-2026-44987
Received Received - Intake
Privilege Escalation in SysReptor via Email Manipulation

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44987
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sysreptor sysreptor to 2026.29 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects SysReptor, a pentest reporting platform. Before version 2026.29, users with "User Admin" permissions could change the email addresses of users with "Superuser" permissions. If the "Forgot Password" feature is enabled, these User Admins could reset the Superusers' passwords and log in as them, provided the Superusers did not have multi-factor authentication (MFA) enabled.

Once authenticated as a Superuser, the attacker could access the Django backend or modify SysReptor settings. Additionally, User Admins can assign themselves "Project Admin" permissions, allowing access to all pentest projects, which is an intentional design feature.

This vulnerability was fixed in version 2026.29.

Impact Analysis

The vulnerability allows users with User Admin permissions to escalate their privileges by resetting Superuser passwords and gaining full Superuser access if MFA is not enabled. This can lead to unauthorized access to the backend administration interface and the ability to change system settings.

Since User Admins can assign themselves Project Admin permissions, they could also access all pentest projects, potentially exposing sensitive pentest data and reports.

Mitigation Strategies

To mitigate this vulnerability, upgrade SysReptor to version 2026.29 or later, where the issue has been patched.

Additionally, ensure that the "Forgot Password" functionality is disabled if not needed, as it is non-default and its presence enables exploitation.

Enforce Multi-Factor Authentication (MFA) for all Superuser accounts to prevent unauthorized password resets and authentication.

Review and restrict "User Admin" permissions to trusted users only, as these permissions allow changing Superuser email addresses and potentially resetting their passwords.

Compliance Impact

The vulnerability allows users with "User Admin" permissions to change email addresses and reset passwords of "Superuser" accounts if the "Forgot Password" functionality is enabled and the Superuser has no MFA. This could lead to unauthorized access to sensitive pentest projects and backend settings.

Such unauthorized access could potentially lead to exposure or manipulation of sensitive data, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls and protection of sensitive information.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44987. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart