CVE-2026-43948
wger-project · wger
A logic error in wger's gym-scope authorization check allows unprivileged users to perform full account takeovers of other users via password resets.
Executive summary
wger versions prior to 2.6 contain an authorization bypass vulnerability that allows an attacker to perform a full account takeover of other users.
Vulnerability
The application incorrectly performs a Python object comparison that evaluates None != None as False. This allows an attacker with gym.manage_gym permissions and no gym assignment to bypass authorization checks and reset the passwords of other users without a gym assignment.
Business impact
This flaw permits one-shot full account takeover, granting attackers unauthorized access to sensitive user data and effectively locking out legitimate users. Given the near-perfect CVSS score of 9.9, the risk of data compromise and loss of system integrity is critical.
Remediation
Immediate Action: Update the wger application to version 2.6 or later to correct the faulty authorization logic.
Proactive Monitoring: Monitor application logs for unusual password reset activity or unauthorized access attempts to user accounts.
Compensating Controls: Deploy a WAF to monitor for suspicious POST requests targeting password reset or user management endpoints.
Exploitation status
Public Exploit Available: Not explicitly stated (PoC exists per SSVC)
Analyst recommendation
This vulnerability is highly critical due to the ease of account takeover. Organizations must update wger to version 2.6 immediately. Failure to patch will leave user accounts exposed to complete compromise by any user meeting the minor prerequisite conditions.