Cyber Resilience

CVE-2026-40474

HighPublic PoC

Published: 17 April 2026

Published
17 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0001 3.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40474 is a high-severity Improper Access Control (CWE-284) vulnerability in Wger Wger. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-40474 affects wger, a free open-source workout and fitness manager, in versions 2.5 and below. The vulnerability stems from the GymConfigUpdateView class, which declares a permission requirement of 'config.change_gymconfig' but inherits from WgerFormMixin rather than WgerPermissionMixin. This misconfiguration results in the permission never being enforced at runtime. GymConfig operates as an ownerless singleton model, enabling unauthorized modifications to the global gym configuration and triggering save() side effects that bulk-update user profile gym assignments, constituting a vertical privilege escalation to installation-wide configuration control. The issue is associated with CWE-284 (Improper Access Control) and CWE-862 (Missing Authorization), with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).

Any authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Attackers can submit updates to the GymConfigUpdateView endpoint, bypassing permission checks to alter global gym settings. Successful exploitation grants control over installation-wide configuration, including side effects that reassign gyms across all user profiles, potentially disrupting fitness data, user access, or operational settings for the entire wger instance.

The vulnerability is fixed in wger version 2.5, as detailed in the project's GitHub security advisory (GHSA-xppv-4jrx-qf8m), release notes, and the fixing commit (47ee5af93b3ced24b9f94b0a8b9296b50bc9523f). Security practitioners should upgrade to version 2.5 or later and verify that custom deployments enforce proper permission mixins for similar views.

EU & UK References

Vulnerability details

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton,…

more

any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is explicitly described as enabling vertical privilege escalation via missing authorization in GymConfigUpdateView, allowing low-privileged users to modify global configuration and trigger widespread side effects on user profiles.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30926Shared CWE-284, CWE-862
CVE-2025-70983Shared CWE-284, CWE-862
CVE-2026-48898Shared CWE-284
CVE-2026-8547Shared CWE-862
CVE-2026-25176Shared CWE-284
CVE-2026-22172Shared CWE-862
CVE-2026-48899Shared CWE-284
CVE-2025-48574Shared CWE-862
CVE-2026-37526Shared CWE-284
CVE-2024-56883Shared CWE-284

Affected Assets

wger
wger
≤ 2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for access to system resources, directly mitigating the GymConfigUpdateView's failure to enforce the declared 'config.change_gymconfig' permission at runtime.

prevent

AC-6 employs least privilege to restrict users to only necessary accesses, preventing low-privileged authenticated users from escalating to global gym configuration control.

prevent

CM-5 restricts access to configuration changes to authorized roles, blocking unauthorized modifications to the ownerless GymConfig singleton and its bulk-update side effects.

References