CVE-2026-34406
Published: 31 March 2026
Description
APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows Any user who can reach that endpoint and submit…
more
crafted permission to escalate their own account (or any other account) to superuser by including "is_superuser": true in the request body. The root cause is that CustomUserSerializer explicitly includes is_superuser in its fields list but omits it from read_only_fields, making it a writable field. The edit_user view performs no additional validation to prevent non-superusers from modifying this field. Once is_superuser is set to true, gaining unrestricted access to all application functionality without requiring re-authentication. This issue has been patched in version 2.0.1.
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations, directly addressing the lack of validation in the edit_user endpoint that allowed unauthorized modification of the is_superuser field.
AC-6 enforces least privilege, preventing low-privileged users from escalating to superuser via the vulnerable API endpoint.
AC-2 mandates proper account management including privilege assignment and review, which would mitigate unauthorized privilege changes in user accounts.
Security SummaryAI
CVE-2026-34406 is a privilege escalation vulnerability in APTRS (Automated Penetration Testing Reporting System), a Python and Django-based automated reporting tool for penetration testers and security organizations. Affecting versions prior to 2.0.1, the issue resides in the CustomUserSerializer used by the edit_user endpoint (POST /api/auth/edituser/<pk>). The serializer explicitly lists the is_superuser field but omits it from read_only_fields, rendering it writable. Additionally, the edit_user view lacks validation to prevent non-superusers from modifying this field. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-915.
Any authenticated user with low privileges (PR:L) who can access the network-exposed endpoint (AV:N) can exploit this by submitting a crafted POST request with "is_superuser": true in the body, targeting their own account or any other <pk>. Successful exploitation escalates the targeted account to superuser status, granting unrestricted access to all application functionality without requiring re-authentication. This enables high-impact confidentiality, integrity, and availability violations.
The vulnerability has been patched in APTRS version 2.0.1. Security practitioners should upgrade to this version immediately. Relevant resources include the patching commit at https://github.com/APTRS/APTRS/commit/d1f1b3a5d1953082af8e075712ca29742e900d56, the release page at https://github.com/APTRS/APTRS/releases/tag/2.0.1, and the GitHub security advisory at https://github.com/APTRS/APTRS/security/advisories/GHSA-gv25-wp4h-9c35.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables low-privileged authenticated users to escalate privileges to superuser by exploiting a writable is_superuser field in the network-exposed edit_user API endpoint without proper validation, directly mapping to Exploitation for Privilege Escalation (T1068).