🚨 BREAKING

CVE-2026-43948: wger Workout Manager Critical Account Takeover

/CRITICAL /CVSS 9.9/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-863
CVE-2026-43948: wger Workout Manager Critical Account Takeover

The National Vulnerability Database has detailed CVE-2026-43948, a critical vulnerability in wger, an open-source workout and fitness manager. Versions prior to 2.6 are affected. The flaw resides in the reset_user_password and gym_permissions_user_edit views. A logical error in the gym-scope authorization check allows an attacker to bypass the guard when both the attacker and victim are not assigned to any gym (gym=None).

Specifically, a user with gym.manage_gym permission and gym=None can reset the password of any other gym=None user. The new plaintext password is then returned directly in the HTML response, granting immediate and full account takeover. This action also invalidates the victim’s original password, effectively locking them out permanently. The National Vulnerability Database rates this with a CVSS score of 9.9 (CRITICAL).

This is a straight-up account takeover, no fancy footwork required. The fix is available in wger version 2.6. Organizations using wger must prioritize this patch. Attackers will scan for gym=None users and leverage this simple authentication bypass for quick account compromise.

What This Means For You

  • If your organization uses wger, immediately confirm your version. If it's prior to 2.6, patch to 2.6 or higher RIGHT NOW. Audit user accounts to identify any with `gym=None` assignments, as these are directly exposed. Any `gym.manage_gym` user with `gym=None` could be an attacker, or their account could be leveraged.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Elevation Control Mechanism: Sudo and su Privilege Escalation T1078 Valid Accounts Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-43948: wger Password Reset Account Takeover

Sigma YAML — free preview 
title: CVE-2026-43948: wger Password Reset Account Takeover
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
  Detects the specific password reset mechanism in wger (CVE-2026-43948) where a user with 'gym.manage_gym' permission and no gym assignment (gym=None) can reset the password of any other user with gym=None. The detection looks for POST requests to the password reset endpoint with a query parameter indicating a gym=None context, which is characteristic of the vulnerability exploitation. The plaintext password returned in the HTML response (status 200) enables account takeover.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-43948/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/password/reset/'
      cs-method: 
          - 'POST'
      sc-status: 
          - '200'
  selection_payload:
      cs-uri-query|contains:
          - 'gym=None'
  condition: selection AND selection_payload
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-43948 Auth Bypass wger workout and fitness manager versions prior to 2.6
CVE-2026-43948 wger vulnerable views: reset_user_password, gym_permissions_user_edit
CVE-2026-43948 Information Disclosure wger plaintext password returned in HTML response body

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108

CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

vulnerabilityCVEhigh-severitycwe-749
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 2 IOCs /⚙ 3 Sigma

MonsterInsights WordPress Plugin Exposes Google OAuth Tokens

CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma

ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion

CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...

vulnerabilityCVEhigh-severitycwe-352cwe-650
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 3 Sigma