Description
wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment (gym=None). A user with gym.manage_gym permission and gym=None can reset the password of any other gym=None user; the new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently. This vulnerability is fixed in 2.6.
Published: 2026-05-12
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the way the wger application performs a gym‑scope authorization check for password reset and gym permission editing. The code uses a Python object comparison that evaluates None != None as False, causing a silent bypass of the check when both the attacker and the victim have no gym assignment (gym=None). An attacker who has the gym.manage_gym permission but is not associated with any gym can therefore reset the password of any other user who also has no gym assignment. The new password is returned in clear text within the HTML response body, giving the attacker immediate full control of the victim’s account and permanently locking the victim out by invalidating their original password. This is a classic example of inadequate authorization, CWE‑863, and results in complete compromise of user credentials.

Affected Systems

The vulnerability affects the open‑source wger workout and fitness manager provided by wger‑project, including any version prior to 2.6. Any installation that has not upgraded to the fixed 2.6 release is susceptible, regardless of deployment environment.

Risk and Exploitability

With a CVSS score of 9.9, this issue is considered critical. The EPSS score is not available, and the vulnerability has not been listed in the CISA KEV catalog, but the high severity indicates that exploitation would have severe consequences. The attack can be carried out through the web UI: an authenticated user who possesses gym.manage_gym permission and has no gym assigned can trigger the vulnerable view. No additional conditions, such as elevated privileges or remote network access, are required beyond the existing permission. As the vulnerability enables one‑shot account takeover, the risk to affected sites is extremely high.

Generated by OpenCVE AI on May 12, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to wger version 2.6 or later, where the None comparison bug has been corrected and the plaintext password disclosure removed
  • Restrict gym.manage_gym permission to users who are assigned to a gym or remove the permission from all gym‑None users to eliminate the authorization bypass
  • Audit current installations to identify any gym‐None users with gym.manage_gym permission and immediately reassign them or revoke the permission; additionally, validate that password reset logic does not return credentials in the response

Generated by OpenCVE AI on May 12, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mhc8-p3jx-84mm wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Wger-project
Wger-project wger
Vendors & Products Wger-project
Wger-project wger

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment (gym=None). A user with gym.manage_gym permission and gym=None can reset the password of any other gym=None user; the new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently. This vulnerability is fixed in 2.6.
Title wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wger-project Wger
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:50:46.717Z

Reserved: 2026-05-04T16:59:09.090Z

Link: CVE-2026-43948

cve-icon Vulnrichment

Updated: 2026-05-13T14:50:36.819Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T22:16:35.197

Modified: 2026-05-13T16:16:53.397

Link: CVE-2026-43948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:15:26Z

Weaknesses