Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-43948

CVE-2026-43948: wger Fitness Manager Auth Bypass Flaw

CVE-2026-43948 is an authentication bypass vulnerability in wger fitness manager that allows attackers to reset passwords and take over accounts. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-43948 Overview

CVE-2026-43948 is an authorization bypass vulnerability in wger, a free, open-source workout and fitness manager. Versions prior to 2.6 contain a flawed gym-scope authorization check in the reset_user_password and gym_permissions_user_edit views. The check uses Python object comparison (!=), which evaluates None != None as False. Any authenticated user holding the gym.manage_gym permission with gym=None can reset the password of any other user whose gym attribute is also None. The new plaintext password is returned in the HTML response body, enabling immediate account takeover. The vulnerability is tracked under [CWE-863: Incorrect Authorization].

Critical Impact

A low-privileged manager account can take over any other ungymed account in one request, permanently locking out the legitimate user.

Affected Products

  • wger versions prior to 2.6
  • Self-hosted wger deployments exposing the user administration views
  • wger instances where multiple users exist without a gym assignment

Discovery Timeline

  • 2026-05-12 - CVE-2026-43948 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-43948

Vulnerability Analysis

The vulnerability resides in two Django views in wger: reset_user_password and gym_permissions_user_edit. Both views enforce a multi-tenant boundary by verifying that the acting user and the target user belong to the same gym. The check is implemented using Python's inequality operator on the gym attribute of each user. When both users have no gym assignment, the attribute is None on both sides, and the expression None != None evaluates to False. The guard intended to block cross-tenant access is silently bypassed.

Once the guard fails open, the reset_user_password view generates a new password for the victim, persists it, and renders it in the HTML response. The attacker reads the plaintext password directly from the response body and authenticates as the victim. The original password is overwritten in the database, denying the legitimate user access until an administrator intervenes.

Root Cause

The root cause is an incorrect authorization comparison. Tenant isolation logic must treat the unassigned state as a distinct scope, not as a value that compares equal to itself across users. Using a sentinel value or an explicit is not None precondition before the inequality check would have prevented the bypass. Returning a newly generated plaintext password in the response further amplifies the impact from authorization bypass to one-shot account takeover.

Attack Vector

An authenticated user with the gym.manage_gym permission and gym=None issues a POST request to the password reset view, supplying the victim's user identifier. The server skips the tenant check, resets the password, and returns the new credentials in the rendered HTML. The attacker reauthenticates as the victim and gains full access to the account. Refer to the wger GitHub Security Advisory for the upstream description.

Detection Methods for CVE-2026-43948

Indicators of Compromise

  • Unexpected password reset events in wger application logs targeting users with no gym assignment
  • HTTP POST requests to reset_user_password or gym_permissions_user_edit originating from accounts other than the user's own administrator
  • User reports of sudden lockout from accounts that previously worked
  • Session activity from a wger account immediately following a password reset event initiated by another user

Detection Strategies

  • Inspect Django request logs for repeated calls to the password reset endpoint by a single low-privileged account targeting multiple distinct user IDs
  • Correlate auth_user table password hash changes with the identity of the requesting user and flag mismatches
  • Alert when a user with gym=None invokes administrative views against another user with gym=None

Monitoring Recommendations

  • Forward wger application and web server logs to a centralized logging or SIEM platform for correlation and retention
  • Track authentication failures immediately followed by successful logins from new IP addresses as a takeover signal
  • Review accounts holding the gym.manage_gym permission and audit their recent administrative actions

How to Mitigate CVE-2026-43948

Immediate Actions Required

  • Upgrade wger to version 2.6 or later, which contains the corrected authorization check
  • Audit all user accounts for unexpected password changes since the deployment was first exposed
  • Force a password reset for all accounts where gym is None until the upgrade is verified
  • Restrict the gym.manage_gym permission to trusted administrators only

Patch Information

The maintainers fixed the vulnerability in wger 2.6. The patched views replace the flawed != comparison with logic that explicitly rejects requests where either user has no gym assignment or where the gyms do not match. Patch details and release notes are available in the wger GitHub Security Advisory GHSA-mhc8-p3jx-84mm.

Workarounds

  • If upgrading immediately is not possible, assign every user account to a specific gym so no user has gym=None
  • Revoke the gym.manage_gym permission from all non-administrator users until the upgrade is applied
  • Place the wger administrative views behind an authenticated reverse proxy or VPN to limit exposure
bash
# Upgrade wger using pip
pip install --upgrade wger>=2.6

# Verify installed version
python -c "import wger; print(wger.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.