CVE-2026-40474

Name of the Vulnerable Software and Affected Versions wger versions prior to 2.5

Description An improper access control issue exists in the GymConfigUpdateView component. The view declares a required permission config.change gymconfig but fails to enforce it at runtime because it inherits WgerFormMixin instead of WgerPermissionMixin. Since the GymConfig object is an ownerless singleton and does not implement the get owner object() function, ownership checks are skipped.

This allows any authenticated user to access the endpoint '/config/gym-config/edit' and modify the global gym configuration. Such modifications trigger side effects in the save() function that bulk-update user profile gym assignments, resulting in a vertical privilege escalation to installation-wide configuration control.

Recommendations Update to version 2.5. As a temporary workaround, restrict access to the '/config/gym-config/edit' endpoint to authorized administrators only.