CVE-2026-40474
Description
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wgerPyPI | <= 2.1 | — |
Affected products
1Patches
147ee5af93b3cProperly protect the gym config view
1 file changed · +6 −2
wger/config/views/gym_config.py+6 −2 modified@@ -24,19 +24,23 @@ # wger from wger.config.models import GymConfig -from wger.utils.generic_views import WgerFormMixin +from wger.utils.generic_views import ( + WgerFormMixin, + WgerPermissionMixin, +) logger = logging.getLogger(__name__) -class GymConfigUpdateView(WgerFormMixin, UpdateView): +class GymConfigUpdateView(WgerPermissionMixin, WgerFormMixin, UpdateView): """ Generic view to edit the gym config table """ model = GymConfig fields = ('default_gym',) + login_required = True permission_required = 'config.change_gymconfig' success_url = reverse_lazy('gym:gym:list') title = gettext_lazy('Edit')
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523fnvdPatchWEB
- github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8mnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-xppv-4jrx-qf8mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40474ghsaADVISORY
- github.com/wger-project/wger/releases/tag/2.5nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.