In AVI Load balancer versions 30.2.2 and 30.2.3, performing an update on a user object via the /api/user endpoint using a PUT request fails with an HTTP 500 Internal Server Error when the is_superuser field is omitted from the request payload. This issue impacts automated processes and API integrations that do not include this optional field during user updates, causing unexpected failures and interruption in user management operations.

• Product: AVI Load Balancer

• Affected Versions: 30.2.2, 30.2.3

This issue is caused by an input validation defect in the affected Controller versions. When the is_superuser attribute is not present in the payload of a user update (PUT request), the server encounters an unhandled exception due to missing field handling logic, resulting in a generic 500 Internal Server Error. The error response provides no detailed message, and related debug logs do not capture useful diagnostic information, complicating troubleshooting efforts.

• Upgrade to Version 30.2.4
  
  The issue is resolved in version 30.2.4. Upgrade the AVI Load Balancer to this version to ensure proper validation of the is_superuser field during user updates.
  
  
  
• Workaround for Affected Versions (30.2.2, 30.2.3) 
  
  Include the is_superuser field explicitly in the PUT request payload, even if the value remains unchanged.
  
  

  {
    "username": "testuser",
    "password": "AviUser!1234",
    "name": "testuser",
    "is_superuser": false
  }
  

• The issue does not occur in versions 22.1.x or 31.1.1, where the PUT operation functions as expected without the is_superuser field.
  
  
• Ensure existing automation scripts include the is_superuser field in PUT requests when interacting with AVI Load Balancer running versions 30.2.2 or 30.2.3.