CVE-2026-34406

Published: Apr 01, 2026 Last Modified: Apr 01, 2026
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 9,4
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows Any user who can reach that endpoint and submit crafted permission to escalate their own account (or any other account) to superuser by including 'is_superuser': true in the request body. The root cause is that CustomUserSerializer explicitly includes is_superuser in its fields list but omits it from read_only_fields, making it a writable field. The edit_user view performs no additional validation to prevent non-superusers from modifying this field. Once is_superuser is set to true, gaining unrestricted access to all application functionality without requiring re-authentication. This issue has been patched in version 2.0.1.

915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Other
Potential Impacts:
Modify Application Data Execute Unauthorized Code Or Commands Varies By Context Alter Execution Logic
Applicable Platforms
Languages: ASP.NET, Not Language-Specific, PHP, Python, Ruby
View CWE Details
https://github.com/APTRS/APTRS/commit/d1f1b3a5d1953082af8e0…
https://github.com/APTRS/APTRS/commit/d1f1b3a5d1953082af8e075712ca29742e900d56
https://github.com/APTRS/APTRS/releases/tag/2.0.1
https://github.com/APTRS/APTRS/releases/tag/2.0.1
https://github.com/APTRS/APTRS/security/advisories/GHSA-gv2…
https://github.com/APTRS/APTRS/security/advisories/GHSA-gv25-wp4h-9c35