CVE-2026-43948
published 2026-05-12CVE-2026-43948: wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope…
PriorityP264critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.37%
29.0th percentile
wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment (gym=None). A user with gym.manage_gym permission and gym=None can reset the password of any other gym=None user; the new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently. This vulnerability is fixed in 2.6.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wger-project | wger | < 2.6 | 2.6 |
| wger | wger | >= 0 < 2.6 | 2.6 |
| wger | wger | 0 – 2.5 | — |
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa9.9CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None
ghsa·2026-05-20·CVSS 9.9
CVE-2026-43948 [CRITICAL] CWE-862 wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None
wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None
## Summary
GHSA-mhc8-p3jx-84mm (CVE-2026-43948) reported that wger's `reset_user_password` and `gym_permissions_user_edit` views in `wger/gym/views/user.py` performed a gym-scope authorization check using Django ORM object comparison (`if request.user.userprofile.gym != user.userprofile.gym`) which silently passes when both sides are `None` (`None != None` evaluates to `False`). The maintainer's suggested patch ("Apply the same `same_gym()` helper pattern to all five views sharing this check") replaces every `userprofile.gym !=` site with the new `is_same_gym()` helper that explicitly excludes `None` (`gym_a is not None and gym_a == gym_b`).
The fix landed in `wger/gym/views/{admin_notes,documen
VulDB
wger-project wger up to 2.5 Response Body reset_user_password/gym_permissions_user_edit authorization
vuldb·2026-05-12
CVE-2026-43948 [CRITICAL] wger-project wger up to 2.5 Response Body reset_user_password/gym_permissions_user_edit authorization
A vulnerability classified as critical was found in wger-project wger up to 2.5. Impacted is the function reset_user_password/gym_permissions_user_edit of the component Response Body Handler. Executing a manipulation can lead to incorrect authorization.
This vulnerability is tracked as CVE-2026-43948. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is advised.
GHSA
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
ghsa·2026-05-06
CVE-2026-43948 [CRITICAL] CWE-863 wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
### Summary
The `reset_user_password` and `gym_permissions_user_edit` views in wger perform a gym-scope authorization check using Python object comparison (`!=`) that evaluates `None != None` as `False`, silently bypassing the guard when both the attacker and victim have no gym assignment (`gym=None`). A user with `gym.manage_gym` permission and `gym=None` can reset the password of **any other `gym=None` user**; the new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently.
### Details
**File**: `wger/gym/views/user.py`
The authorization guard in `reset_user_password` (and the pa
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-12
Published