CVE-2026-34406 Overview
CVE-2026-34406 is a critical privilege escalation vulnerability in APTRS (Automated Penetration Testing Reporting System), a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/<pk>) allows any authenticated user to escalate their own account (or any other account) to superuser status by including "is_superuser": true in the request body.
Critical Impact
Any authenticated user can gain unrestricted superuser access to the entire APTRS application without requiring re-authentication, potentially compromising all penetration testing data and reports.
Affected Products
- APTRS (Automated Penetration Testing Reporting System) versions prior to 2.0.1
- Django-based APTRS installations using CustomUserSerializer
- Systems exposing the /api/auth/edituser/<pk> endpoint
Discovery Timeline
- 2026-03-31 - CVE-2026-34406 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34406
Vulnerability Analysis
This vulnerability is classified as CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), commonly known as Mass Assignment. The flaw resides in how the Django REST Framework serializer handles user attribute updates.
The CustomUserSerializer class explicitly includes the is_superuser field in its serializable fields list but critically omits it from the read_only_fields configuration. This design oversight transforms what should be a protected administrative attribute into a writable field accessible to any authenticated user.
The edit_user view compounds this issue by performing no server-side validation to verify whether the requesting user has sufficient privileges to modify superuser status. As a result, a low-privileged user can craft a malicious request that promotes their account to superuser, bypassing all authorization controls.
Root Cause
The root cause is an insecure Django REST Framework serializer configuration where the is_superuser field was inadvertently exposed as writable. The CustomUserSerializer failed to include is_superuser in its read_only_fields tuple, and the corresponding view lacked proper authorization checks to validate whether the requesting user should be allowed to modify privileged account attributes.
Attack Vector
This is a network-based attack requiring low privileges (authenticated user). An attacker with any valid user account can exploit this vulnerability by:
- Authenticating to the APTRS application with standard user credentials
- Crafting a POST request to /api/auth/edituser/<pk> with their user ID
- Including "is_superuser": true in the JSON request body
- Gaining immediate superuser access without re-authentication
The attack requires no user interaction and can be executed with low complexity against any APTRS instance prior to version 2.0.1.
# Security patch in APTRS/accounts/serializers.py - Fixed GHSA-gv25-wp4h-9c35
# Set is_staff to True by default for new user
validated_data['is_staff'] = True
# Only a superuser can create another superuser
request = self.context.get('request')
if not (request and request.user.is_superuser):
validated_data.pop('is_superuser', None)
groups_data = validated_data.pop('groups', [])#Extract groups
if 'password' not in validated_data:
raise serializers.ValidationError("Password is required for creating a new user.")
Source: GitHub Commit d1f1b3a
Detection Methods for CVE-2026-34406
Indicators of Compromise
- Unexpected changes to user is_superuser field values in the database
- POST requests to /api/auth/edituser/<pk> containing is_superuser parameter from non-admin users
- Audit logs showing user permission changes without corresponding administrative actions
- Users with elevated privileges who should not have superuser status
Detection Strategies
- Monitor HTTP request bodies to the /api/auth/edituser/ endpoint for is_superuser field modifications
- Implement database-level audit triggers on user table superuser field changes
- Review Django application logs for suspicious edit_user view activity
- Deploy web application firewall rules to detect mass assignment patterns in API requests
Monitoring Recommendations
- Enable verbose logging for all authentication and user management endpoints
- Configure SIEM alerts for privilege escalation patterns in APTRS access logs
- Implement regular user privilege audits to identify unauthorized superuser accounts
- Monitor for rapid changes in user permissions across the application
How to Mitigate CVE-2026-34406
Immediate Actions Required
- Upgrade APTRS to version 2.0.1 or later immediately
- Audit all existing user accounts and verify superuser status is legitimate
- Review access logs for evidence of exploitation prior to patching
- Revoke any unauthorized superuser privileges discovered during audit
Patch Information
The vulnerability has been patched in APTRS version 2.0.1. The fix implements proper authorization checks in the serializer to ensure only superusers can modify the is_superuser field. Users should upgrade immediately by following the GitHub Release 2.0.1 instructions. For detailed information about the vulnerability, refer to the GitHub Security Advisory GHSA-gv25-wp4h-9c35.
Workarounds
- Restrict network access to the APTRS application to trusted administrators only until patching is complete
- Implement a web application firewall rule to block requests containing is_superuser to user edit endpoints
- Add custom middleware to validate and strip privileged fields from non-admin requests
- Disable the edit_user endpoint entirely if user self-service editing is not required
# Configuration example - Upgrade APTRS to patched version
git fetch --tags
git checkout 2.0.1
pip install -r requirements.txt
python manage.py migrate
python manage.py collectstatic --noinput
# Restart your APTRS service after upgrade
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
