{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34406", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:45:29.620Z", "datePublished": "2026-03-31T21:18:51.205Z", "dateUpdated": "2026-04-03T16:38:03.750Z"}, "containers": {"cna": {"title": "APTRS: Privilege Escalation via Mass Assignment of is_superuser in User Edit Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-915", "lang": "en", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/APTRS/APTRS/security/advisories/GHSA-gv25-wp4h-9c35", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/APTRS/APTRS/security/advisories/GHSA-gv25-wp4h-9c35"}, {"name": "https://github.com/APTRS/APTRS/commit/d1f1b3a5d1953082af8e075712ca29742e900d56", "tags": ["x_refsource_MISC"], "url": "https://github.com/APTRS/APTRS/commit/d1f1b3a5d1953082af8e075712ca29742e900d56"}, {"name": "https://github.com/APTRS/APTRS/releases/tag/2.0.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/APTRS/APTRS/releases/tag/2.0.1"}], "affected": [{"vendor": "APTRS", "product": "APTRS", "versions": [{"version": "< 2.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T21:18:51.205Z"}, "descriptions": [{"lang": "en", "value": "APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows Any user who can reach that endpoint and submit crafted permission to escalate their own account (or any other account) to superuser by including \"is_superuser\": true in the request body. The root cause is that CustomUserSerializer explicitly includes is_superuser in its fields list but omits it from read_only_fields, making it a writable field. The edit_user view performs no additional validation to prevent non-superusers from modifying this field. Once is_superuser is set to true, gaining unrestricted access to all application functionality without requiring re-authentication. This issue has been patched in version 2.0.1."}], "source": {"advisory": "GHSA-gv25-wp4h-9c35", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:37:51.859124Z", "id": "CVE-2026-34406", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:38:03.750Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34406", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T16:37:51.859124Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:37:59.197Z"}}], "cna": {"title": "APTRS: Privilege Escalation via Mass Assignment of is_superuser in User Edit Endpoint", "source": {"advisory": "GHSA-gv25-wp4h-9c35", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "APTRS", "product": "APTRS", "versions": [{"status": "affected", "version": "< 2.0.1"}]}], "references": [{"url": "https://github.com/APTRS/APTRS/security/advisories/GHSA-gv25-wp4h-9c35", "name": "https://github.com/APTRS/APTRS/security/advisories/GHSA-gv25-wp4h-9c35", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/APTRS/APTRS/commit/d1f1b3a5d1953082af8e075712ca29742e900d56", "name": "https://github.com/APTRS/APTRS/commit/d1f1b3a5d1953082af8e075712ca29742e900d56", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/APTRS/APTRS/releases/tag/2.0.1", "name": "https://github.com/APTRS/APTRS/releases/tag/2.0.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows Any user who can reach that endpoint and submit crafted permission to escalate their own account (or any other account) to superuser by including \"is_superuser\": true in the request body. The root cause is that CustomUserSerializer explicitly includes is_superuser in its fields list but omits it from read_only_fields, making it a writable field. The edit_user view performs no additional validation to prevent non-superusers from modifying this field. Once is_superuser is set to true, gaining unrestricted access to all application functionality without requiring re-authentication. This issue has been patched in version 2.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T21:18:51.205Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34406", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:38:03.750Z", "dateReserved": "2026-03-27T13:45:29.620Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T21:18:51.205Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aptrs:aptrs:*:*:*:*:*:python:*:*", "matchCriteriaId": "FE83DFB0-C9D9-4F10-A3DA-901FFBCDCC6D", "versionEndExcluding": "2.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows Any user who can reach that endpoint and submit crafted permission to escalate their own account (or any other account) to superuser by including \"is_superuser\": true in the request body. The root cause is that CustomUserSerializer explicitly includes is_superuser in its fields list but omits it from read_only_fields, making it a writable field. The edit_user view performs no additional validation to prevent non-superusers from modifying this field. Once is_superuser is set to true, gaining unrestricted access to all application functionality without requiring re-authentication. This issue has been patched in version 2.0.1."}], "id": "CVE-2026-34406", "lastModified": "2026-04-10T15:43:33.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T22:16:18.990", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/APTRS/APTRS/commit/d1f1b3a5d1953082af8e075712ca29742e900d56"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/APTRS/APTRS/releases/tag/2.0.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/APTRS/APTRS/security/advisories/GHSA-gv25-wp4h-9c35"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "APTRS", "source": "cna", "vendor": "APTRS"}, "product": "aptrs", "vendor": "aptrs"}], "analysis": {"en": {"generated_at": "2026-04-10T16:27:13.859109+00:00", "value": {"mitigation_remediation": ["Upgrade APTRS to version 2.0.1 or later, which removes the writable is_superuser field during user edits."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Mass Assignment"}, "threat_synthesis": {"affected_systems": "APTRS, the Automated Penetration Testing Reporting System built with Python and Django, is vulnerable in all releases prior to 2.0.1. The issue exists in the POST /api/auth/edituser/<pk> endpoint where any reachable user can submit a mass-assignment payload.", "description_and_impact": "APTRS exposes a critical privilege escalation flaw in the user edit API. The endpoint accepts a JSON payload that includes the field is_superuser, which is unintentionally writable due to an oversight in the serializer\u2019s definition. An ordinary authenticated user can simply send a request setting is_superuser to true and obtain unrestricted control of the application, bypassing all internal permission checks and privileges. This enables the attacker to read, modify or delete any data, and to reconfigure system settings, effectively taking full control of the reporting platform.", "risk_and_exploitability": "The defect carries a CVSS score of 9.4, indicating very high severity. Exploitation likelihood is low (EPSS < 1%) but the impact is massive should an attacker succeed. The attack vector is straightforward: a user with network access to the API can craft a POST request that sets is_superuser to true. This bypasses authentication checks and provides unrestricted application access. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely known active exploits yet."}}}}, "created": "2026-04-02T07:52:12.136155+00:00", "updated": "2026-04-13T14:28:09.036804+00:00", "vendors": ["aptrs", "aptrs$PRODUCT$aptrs"]}