CVE-2026-44987: CWE-269: Improper Privilege Management in Syslifters sysreptor
SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.
AI Analysis
Technical Summary
Syslifters sysreptor before version 2026.29 contains a privilege management flaw where users with "User Admin" rights can alter the email addresses of "Superuser" accounts. If the optional "Forgot Password" feature is enabled and the targeted Superuser lacks multi-factor authentication, the attacker can reset the Superuser's password and authenticate as that user. This leads to unauthorized access to the Django admin backend and configuration settings. The ability for user managers to assign themselves "Project Admin" permissions and access pentest projects is by design and not part of the vulnerability. The issue is resolved in version 2026.29.
Potential Impact
An attacker with "User Admin" permissions can escalate privileges to Superuser level by resetting passwords if the "Forgot Password" feature is enabled and MFA is not used by the Superuser. This enables unauthorized access to the Django backend and full control over the Sysreptor installation settings. The impact is limited by the prerequisite permissions and optional feature settings. The CVSS score of 3.8 reflects a low severity impact with limited confidentiality and integrity loss and no availability impact.
Mitigation Recommendations
Upgrade Sysreptor to version 2026.29 or later where this vulnerability is patched. If upgrading immediately is not possible, ensure the "Forgot Password" functionality is disabled (default setting) and enforce multi-factor authentication for all Superuser accounts to prevent exploitation.
CVE-2026-44987: CWE-269: Improper Privilege Management in Syslifters sysreptor
Description
SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Syslifters sysreptor before version 2026.29 contains a privilege management flaw where users with "User Admin" rights can alter the email addresses of "Superuser" accounts. If the optional "Forgot Password" feature is enabled and the targeted Superuser lacks multi-factor authentication, the attacker can reset the Superuser's password and authenticate as that user. This leads to unauthorized access to the Django admin backend and configuration settings. The ability for user managers to assign themselves "Project Admin" permissions and access pentest projects is by design and not part of the vulnerability. The issue is resolved in version 2026.29.
Potential Impact
An attacker with "User Admin" permissions can escalate privileges to Superuser level by resetting passwords if the "Forgot Password" feature is enabled and MFA is not used by the Superuser. This enables unauthorized access to the Django backend and full control over the Sysreptor installation settings. The impact is limited by the prerequisite permissions and optional feature settings. The CVSS score of 3.8 reflects a low severity impact with limited confidentiality and integrity loss and no availability impact.
Mitigation Recommendations
Upgrade Sysreptor to version 2026.29 or later where this vulnerability is patched. If upgrading immediately is not possible, ensure the "Forgot Password" functionality is disabled (default setting) and enforce multi-factor authentication for all Superuser accounts to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T16:23:33.265Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe61e5cbff5d8610367fc2
Added to database: 5/8/2026, 10:21:25 PM
Last enriched: 5/8/2026, 10:36:38 PM
Last updated: 5/9/2026, 2:26:24 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.