CVE-2026-40474
published 2026-04-17CVE-2026-40474: wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required =…
PriorityP350high7.6CVSS 3.1
AVNACLPRLUINSUCLIHAL
EPSS
0.33%
25.1th percentile
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wger-project | wger | < 2.5 | 2.5 |
| wger | wger | < 2.5 | 2.5 |
| wger | wger | 0 – 2.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
wger-project wger up to 2.4 Configuration config.change_gymconfig save access control
vuldb·2026-04-17·CVSS 7.6
CVE-2026-40474 [HIGH] wger-project wger up to 2.4 Configuration config.change_gymconfig save access control
A vulnerability, which was classified as critical, was found in wger-project wger up to 2.4. This impacts the function Save of the file config.change_gymconfig of the component Configuration Handler. Such manipulation leads to improper access controls.
This vulnerability is documented as CVE-2026-40474. The attack can be executed remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
wger has Broken Access Control in Global Gym Configuration Update Endpoint
ghsa·2026-04-16
CVE-2026-40474 [HIGH] CWE-284 wger has Broken Access Control in Global Gym Configuration Update Endpoint
wger has Broken Access Control in Global Gym Configuration Update Endpoint
## Summary
wger exposes a global configuration edit endpoint at `/config/gym-config/edit` implemented by `GymConfigUpdateView`. The view declares `permission_required = 'config.change_gymconfig'` but does not enforce it because it inherits `WgerFormMixin` (ownership-only checks) instead of the project’s permission-enforcing mixin (`WgerPermissionMixin`) .
The edited object is a singleton (`GymConfig(pk=1)`) and the model does not implement `get_owner_object()`, so `WgerFormMixin` skips ownership enforcement. As a result, a low-privileged authenticated user can modify installation-wide configuration and trigger server-side side effects in `GymConfig.save()`.
This is a vertical privilege escalation from a regular
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-17
Published