Description
APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows Any user who can reach that endpoint and submit crafted permission to escalate their own account (or any other account) to superuser by including "is_superuser": true in the request body. The root cause is that CustomUserSerializer explicitly includes is_superuser in its fields list but omits it from read_only_fields, making it a writable field. The edit_user view performs no additional validation to prevent non-superusers from modifying this field. Once is_superuser is set to true, gaining unrestricted access to all application functionality without requiring re-authentication. This issue has been patched in version 2.0.1.
Published: 2026-03-31
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Mass Assignment
Action: Immediate Patch
AI Analysis

Impact

APTRS exposes a critical privilege escalation flaw in the user edit API. The endpoint accepts a JSON payload that includes the field is_superuser, which is unintentionally writable due to an oversight in the serializer’s definition. An ordinary authenticated user can simply send a request setting is_superuser to true and obtain unrestricted control of the application, bypassing all internal permission checks and privileges. This enables the attacker to read, modify or delete any data, and to reconfigure system settings, effectively taking full control of the reporting platform.

Affected Systems

APTRS, the Automated Penetration Testing Reporting System built with Python and Django, is vulnerable in all releases prior to 2.0.1. The issue exists in the POST /api/auth/edituser/<pk> endpoint where any reachable user can submit a mass-assignment payload.

Risk and Exploitability

The defect carries a CVSS score of 9.4, indicating very high severity. Exploitation likelihood is low (EPSS < 1%) but the impact is massive should an attacker succeed. The attack vector is straightforward: a user with network access to the API can craft a POST request that sets is_superuser to true. This bypasses authentication checks and provides unrestricted application access. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely known active exploits yet.

Generated by OpenCVE AI on April 10, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade APTRS to version 2.0.1 or later, which removes the writable is_superuser field during user edits.

Generated by OpenCVE AI on April 10, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:aptrs:aptrs:*:*:*:*:*:python:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aptrs
Aptrs aptrs
Vendors & Products Aptrs
Aptrs aptrs

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows Any user who can reach that endpoint and submit crafted permission to escalate their own account (or any other account) to superuser by including "is_superuser": true in the request body. The root cause is that CustomUserSerializer explicitly includes is_superuser in its fields list but omits it from read_only_fields, making it a writable field. The edit_user view performs no additional validation to prevent non-superusers from modifying this field. Once is_superuser is set to true, gaining unrestricted access to all application functionality without requiring re-authentication. This issue has been patched in version 2.0.1.
Title APTRS: Privilege Escalation via Mass Assignment of is_superuser in User Edit Endpoint
Weaknesses CWE-915
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Aptrs Aptrs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:38:03.750Z

Reserved: 2026-03-27T13:45:29.620Z

Link: CVE-2026-34406

cve-icon Vulnrichment

Updated: 2026-04-03T16:37:59.197Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T22:16:18.990

Modified: 2026-04-10T15:43:33.397

Link: CVE-2026-34406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:09Z

Weaknesses