User Admin Permission Vulnerability in SysReptor by Syslifters
CVE-2026-44987

3.8LOW

Key Information:

Vendor: Syslifters
Status: Sysreptor
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-44987?

A vulnerability exists in SysReptor, allowing users with 'User Admin' permissions to alter the email addresses of 'Superuser' accounts under specific conditions. If the 'Forgot Password' feature is activated, User Admins can initiate a password reset for Superusers, particularly if multi-factor authentication (MFA) is not enabled. This can lead to unauthorized access to the Django backend and potential manipulation of SysReptor settings. However, it should be noted that managing user permissions effectively is a design feature of the platform. Users are encouraged to upgrade to version 2026.29 to mitigate this vulnerability.

Affected Version(s)

sysreptor < 2026.29

References

https://github.com/Syslifters/sysreptor/security/advisori...

x_refsource_CONFIRM

https://github.com/Syslifters/sysreptor/releases/tag/2026.29

x_refsource_MISC

CVSS V3.1

Score:

3.8

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-44987 Data

JSON