Incorrect authorization in wger - CVE-2026-43948
Published: April 28, 2026 / Updated: May 18, 2026
Vulnerability identifier: #VU128292
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-43948
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: wger Project
Affected software:
wger
wger
Detailed vulnerability description
The vulnerability allows a remote user to take over other users' accounts and lock them out.
The vulnerability exists due to incorrect authorization in reset_user_password and gym_permissions_user_edit views when handling requests for users whose gym assignment is unset. A remote user can send a request to reset another gym=None user's password to take over other users' accounts and lock them out.
The new plaintext password is returned in the HTML response body, and the issue affects cases where both the requester and target user have gym=None.
How to mitigate CVE-2026-43948
Install security update from vendor's website.