Vulnerability Description
APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows Any user who can reach that endpoint and submit crafted permission to escalate their own account (or any other account) to superuser by including "is_superuser": true in the request body. The root cause is that CustomUserSerializer explicitly includes is_superuser in its fields list but omits it from read_only_fields, making it a writable field. The edit_user view performs no additional validation to prevent non-superusers from modifying this field. Once is_superuser is set to true, gaining unrestricted access to all application functionality without requiring re-authentication. This issue has been patched in version 2.0.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Aptrs | Aptrs | < 2.0.1 |
Related Weaknesses (CWE)
References
- https://github.com/APTRS/APTRS/commit/d1f1b3a5d1953082af8e075712ca29742e900d56Patch
- https://github.com/APTRS/APTRS/releases/tag/2.0.1Release Notes
- https://github.com/APTRS/APTRS/security/advisories/GHSA-gv25-wp4h-9c35ExploitVendor Advisory
FAQ
What is CVE-2026-34406?
CVE-2026-34406 is a vulnerability with a CVSS score of 8.8 (HIGH). APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the ed...
How severe is CVE-2026-34406?
CVE-2026-34406 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34406?
Check the references section above for vendor advisories and patch information. Affected products include: Aptrs Aptrs.