← Back

CVE-2026-40474

nvd nist
Published: Apr 17, 2026Modified: Apr 24, 2026

JSON object

Loading...
7.6
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Exploitability: 2.8 / Impact: 4.7
Source: security-advisories@github.com (Secondary)

Description

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.

Affected (1)

Products: Wger: Wger
Wger
1 product
Wger
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Wger
Before 2.5

Related CWEs

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (3)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
ExploitVendor Advisory

Timeline

No history available yet.