PT-2026-38284 · Wger · Wger
Published
2026-05-06
·
Updated
2026-05-13
·
CVE-2026-43948
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
wger versions prior to 2.6
Description
An authorization bypass exists in the
reset user password and gym permissions user edit views. The system performs a gym-scope authorization check using a Python object comparison that evaluates None != None as False. This allows a user with gym.manage gym permission and no gym assignment (gym=None) to bypass the security guard and reset the password of any other user who also has no gym assignment. The new plaintext password is returned in the HTML response body, enabling full account takeover and permanently locking the victim out of their account.Technical details include the following affected endpoints:
- '/en/gym/user//reset-user-password'
- '/en/gym/user//edit'
Recommendations
Update to version 2.6.
As a temporary workaround, restrict the
gym.manage gym permission to trusted administrators only.Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wger