CVE-2026-40474
Published: 17 April 2026
Summary
CVE-2026-40474 is a high-severity Improper Access Control (CWE-284) vulnerability in Wger Wger. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for access to system resources, directly mitigating the GymConfigUpdateView's failure to enforce the declared 'config.change_gymconfig' permission at runtime.
AC-6 employs least privilege to restrict users to only necessary accesses, preventing low-privileged authenticated users from escalating to global gym configuration control.
CM-5 restricts access to configuration changes to authorized roles, blocking unauthorized modifications to the ownerless GymConfig singleton and its bulk-update side effects.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly described as enabling vertical privilege escalation via missing authorization in GymConfigUpdateView, allowing low-privileged users to modify global configuration and trigger widespread side effects on user profiles.
NVD Description
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton,…
more
any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.
Deeper analysisAI
CVE-2026-40474 affects wger, a free open-source workout and fitness manager, in versions 2.5 and below. The vulnerability stems from the GymConfigUpdateView class, which declares a permission requirement of 'config.change_gymconfig' but inherits from WgerFormMixin rather than WgerPermissionMixin. This misconfiguration results in the permission never being enforced at runtime. GymConfig operates as an ownerless singleton model, enabling unauthorized modifications to the global gym configuration and triggering save() side effects that bulk-update user profile gym assignments, constituting a vertical privilege escalation to installation-wide configuration control. The issue is associated with CWE-284 (Improper Access Control) and CWE-862 (Missing Authorization), with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).
Any authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Attackers can submit updates to the GymConfigUpdateView endpoint, bypassing permission checks to alter global gym settings. Successful exploitation grants control over installation-wide configuration, including side effects that reassign gyms across all user profiles, potentially disrupting fitness data, user access, or operational settings for the entire wger instance.
The vulnerability is fixed in wger version 2.5, as detailed in the project's GitHub security advisory (GHSA-xppv-4jrx-qf8m), release notes, and the fixing commit (47ee5af93b3ced24b9f94b0a8b9296b50bc9523f). Security practitioners should upgrade to version 2.5 or later and verify that custom deployments enforce proper permission mixins for similar views.
Details
- CWE(s)