Description
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.
Published: 2026-04-17
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

The GymConfigUpdateView incorrectly inherits the permission mixin, causing the declared permission 'config.change_gymconfig' to never be checked at runtime. Any authenticated user can therefore change the global gym configuration, triggering side effects that bulk‑update all user gym assignments. The attacker thereby gains installation‑wide configuration control, a form of vertical privilege escalation that bypasses the intended access restrictions.

Affected Systems

This issue affects all releases of wger prior to the 2.5 release. The mitigation was applied in version 2.5, which replaces the incorrect mixin with the proper permission enforcement logic. System administrators should verify the installed version and upgrade accordingly.

Risk and Exploitability

With a CVSS score of 7.6 the vulnerability is considered high severity; it requires the attacker to be authenticated, which is a low barrier for any user. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploitation yet. Nonetheless, because any logged‑in user can modify global settings that affect all users, the potential impact on integrity and availability is significant, and the vulnerability should be treated as a priority for remediation.

Generated by OpenCVE AI on April 18, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wger to version 2.5 or later to apply the fixed permission enforcement
  • Configure the permissions so that only users in the administrator group have the 'config.change_gymconfig' permission, and revoke it from all other users
  • Enable logging of all actions to the global gym configuration so that changes are auditable and can be reviewed for unauthorized modifications

Generated by OpenCVE AI on April 18, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xppv-4jrx-qf8m wger has Broken Access Control in Global Gym Configuration Update Endpoint
History

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wger
Wger wger
CPEs cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*
Vendors & Products Wger
Wger wger

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Wger-project
Wger-project wger
Vendors & Products Wger-project
Wger-project wger

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.
Title wger has Broken Access Control in the Global Gym Configuration Update Endpoint
Weaknesses CWE-284
CWE-862
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Wger Wger
Wger-project Wger
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:08:12.427Z

Reserved: 2026-04-13T19:50:42.113Z

Link: CVE-2026-40474

cve-icon Vulnrichment

Updated: 2026-04-20T16:08:06.942Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T22:16:33.213

Modified: 2026-04-24T14:46:22.683

Link: CVE-2026-40474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:15:05Z

Weaknesses