CVE-2026-34406

Name of the Vulnerable Software and Affected Versions APTRS versions prior to 2.0.1

Description APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool. A flaw exists in the edit user API endpoint ('/api/auth/edituser/') where a user can elevate their privileges to superuser by submitting a crafted request. Specifically, including "is superuser": true in the request body allows unauthorized modification of the is superuser attribute. The issue stems from the CustomUserSerializer exposing the is superuser field as writable without proper validation within the edit user view. Successful exploitation grants unrestricted access to all application functionality without re-authentication. The vulnerable parameter is is superuser.

Recommendations Update to version 2.0.1 or later.