wger Fitness Manager: Auth Bypass Grants Global Config Control
The National Vulnerability Database has detailed CVE-2026-40474, a high-severity vulnerability (CVSS 7.6) affecting wger workout and fitness manager versions 2.5 and below. This flaw stems from an incorrect inheritance pattern in the GymConfigUpdateView, which fails to enforce the config.change_gymconfig permission. This oversight allows any authenticated user to modify the global gym configuration.
This isn’t just a minor misconfiguration; it’s a vertical privilege escalation. Since GymConfig is an ownerless singleton, an attacker can trigger save() side effects. This effectively enables them to bulk-update user profile gym assignments across the entire installation, granting installation-wide configuration control. The issue is tracked under CWE-284 (Improper Access Control) and CWE-862 (Missing Authorization).
This vulnerability is fixed in wger version 2.5. Organizations using wger should prioritize patching immediately to prevent unauthorized configuration changes and potential disruption to user profiles and system settings.
What This Means For You
- If your organization uses wger workout and fitness manager, you are directly exposed to a critical privilege escalation. An attacker with any authenticated user account can seize control of your entire gym configuration. Immediately verify your wger version; if it's 2.5 or below, patch to version 2.5 or higher RIGHT NOW to mitigate CVE-2026-40474.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40474: wger GymConfig Update Auth Bypass
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40474 | Privilege Escalation | wger workout and fitness manager versions 2.5 and below |
| CVE-2026-40474 | Privilege Escalation | GymConfigUpdateView in wger |
| CVE-2026-40474 | Auth Bypass | Missing permission enforcement for 'config.change_gymconfig' in GymConfigUpdateView |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-40486 — Kimai is an open-source time tracking application. In
CVE-2026-40486 — Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values...
CVE-2026-40479 — Cross-Site Scripting (XSS)
CVE-2026-40479 — Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or...
CVE-2026-2434 — Cross-Site Scripting (XSS)
CVE-2026-2434 — The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including,...