Description
APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows Any user who can reach that endpoint and submit crafted permission to escalate their own account (or any other account) to superuser by including "is_superuser": true in the request body. The root cause is that CustomUserSerializer explicitly includes is_superuser in its fields list but omits it from read_only_fields, making it a writable field. The edit_user view performs no additional validation to prevent non-superusers from modifying this field. Once is_superuser is set to true, gaining unrestricted access to all application functionality without requiring re-authentication. This issue has been patched in version 2.0.1.
Published: 2026-03-31
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to superuser
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in APTRS causes a privilege escalation flaw. The edit_user API endpoint accepts a JSON body that can include the field 'is_superuser'. The serializer defines this field as writable, so any authenticated user who can hit the endpoint can set the field to true. When this flag is set, the affected account becomes a superuser, giving unrestricted access to all application functionality without initiating a new login session. The weakness arises from incorrect mass assignment handling and lack of permission checks (CWE-915).

Affected Systems

APTRS is a Django‑based automated penetration testing reporting system maintained by APTRS. Versions of the software released before 2.0.1 are affected. Any deployment of these earlier releases that exposes the /api/auth/edituser/<pk> endpoint to authenticated users is vulnerable. The issue has been fixed in the 2.0.1 release and later.

Risk and Exploitability

The flaw carries a CVSS score of 9.4, indicating critical severity. Although EPSS data is unavailable, the vulnerability can be exploited without special conditions; an attacker only needs to be authenticated to the system and be able to reach the edit_user endpoint. Because no re‑authentication is required after setting the flag, an attacker can effortlessly gain superuser privileges. The vulnerability is not listed in CISA’s KEV catalog, but its high CVSS rating and simple exploitation path warrant immediate attention.

Generated by OpenCVE AI on April 1, 2026 at 06:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the APTRS installation to version 2.0.1 or newer.
  • Verify that the is_superuser field in the CustomUserSerializer is read‑only; if the patch cannot be applied, remove writable access from that field.
  • If a patch cannot be applied immediately, restrict the /api/auth/edituser/<pk> endpoint to superusers only or temporarily disable the endpoint until the fix is deployed.

Generated by OpenCVE AI on April 1, 2026 at 06:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aptrs
Aptrs aptrs
Vendors & Products Aptrs
Aptrs aptrs

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows Any user who can reach that endpoint and submit crafted permission to escalate their own account (or any other account) to superuser by including "is_superuser": true in the request body. The root cause is that CustomUserSerializer explicitly includes is_superuser in its fields list but omits it from read_only_fields, making it a writable field. The edit_user view performs no additional validation to prevent non-superusers from modifying this field. Once is_superuser is set to true, gaining unrestricted access to all application functionality without requiring re-authentication. This issue has been patched in version 2.0.1.
Title APTRS: Privilege Escalation via Mass Assignment of is_superuser in User Edit Endpoint
Weaknesses CWE-915
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Aptrs Aptrs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T21:18:51.205Z

Reserved: 2026-03-27T13:45:29.620Z

Link: CVE-2026-34406

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T22:16:18.990

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-34406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:27Z

Weaknesses