CVE-2026-43948

wger-project · wger

A logic error in wger's gym-scope authorization check allows unprivileged users to perform full account takeovers of other users via password resets.

Executive summary

wger versions prior to 2.6 contain an authorization bypass vulnerability that allows an attacker to perform a full account takeover of other users.

Vulnerability

The application incorrectly performs a Python object comparison that evaluates None != None as False. This allows an attacker with gym.manage_gym permissions and no gym assignment to bypass authorization checks and reset the passwords of other users without a gym assignment.

Business impact

This flaw permits one-shot full account takeover, granting attackers unauthorized access to sensitive user data and effectively locking out legitimate users. Given the near-perfect CVSS score of 9.9, the risk of data compromise and loss of system integrity is critical.

Remediation

Immediate Action: Update the wger application to version 2.6 or later to correct the faulty authorization logic.

Proactive Monitoring: Monitor application logs for unusual password reset activity or unauthorized access attempts to user accounts.

Compensating Controls: Deploy a WAF to monitor for suspicious POST requests targeting password reset or user management endpoints.

Exploitation status

Public Exploit Available: Not explicitly stated (PoC exists per SSVC)

Analyst recommendation

This vulnerability is highly critical due to the ease of account takeover. Organizations must update wger to version 2.6 immediately. Failure to patch will leave user accounts exposed to complete compromise by any user meeting the minor prerequisite conditions.