High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2026-40474
HighVulnerability Description
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
References & Resources
-
https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523fsecurity-advisories@github.com
-
https://github.com/wger-project/wger/releases/tag/2.5security-advisories@github.com
-
https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8msecurity-advisories@github.com
Severity Details
Weakness Type (CWE)
Improper Access Control
- Description
- The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- Typical Severity
- Medium
- Abstraction Level
- Pillar
Key Information
- Published Date
- April 17, 2026
