PT-2026-29372 · Aptrs · Aptrs
Jfoz1010
·
Published
2026-03-31
·
Updated
2026-03-31
·
CVE-2026-34406
CVSS v4.0
9.4
Critical
| AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
APTRS versions prior to 2.0.1
Description
APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool. A flaw exists in the
edit user API endpoint ('/api/auth/edituser/') where a user can elevate their privileges to superuser by submitting a crafted request. Specifically, including "is superuser": true in the request body allows unauthorized modification of the is superuser attribute. The issue stems from the CustomUserSerializer exposing the is superuser field as writable without proper validation within the edit user view. Successful exploitation grants unrestricted access to all application functionality without re-authentication. The vulnerable parameter is is superuser.Recommendations
Update to version 2.0.1 or later.
Fix
LPE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Aptrs