SB20260511110 - Multiple vulnerabilities in wger



SB20260511110 - Multiple vulnerabilities in wger

Published: May 11, 2026 Updated: May 18, 2026

Security Bulletin ID SB20260511110
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Resource exhaustion (CVE-ID: N/A)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in RoutineSerializer function. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-43977)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the RoutineViewSet /logs/ and /stats/ API actions when handling requests for template routines not owned by the requester. A remote attacker can send crafted requests to read another user's private workout session notes, exercise history, and training statistics.

Exploitation is possible against routines marked as public templates, and routine IDs can be enumerated via the routine listing endpoint.


3) Improper privilege management (CVE-ID: CVE-2026-43978)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges and impersonate a gym manager or general manager account.

The vulnerability exists due to improper privilege management in the trainer-login endpoint in wger/core/views/user.py when processing chained trainer-login requests. A remote user can perform a legitimate switch into a low-privileged user and then send a subsequent trainer-login request to impersonate a higher-privileged account to escalate privileges and impersonate a gym manager or general manager account.

Exploitation requires access to a gym trainer account and a target manager account within the same gym.


Remediation

Install update from vendor's website.