CVE-2026-43978info

Summary

by MITRE • 07/17/2026

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information. This issue has been fixed in version 2.6.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability in wger fitness management software represents a critical session management flaw that enables privilege escalation through improper access control implementation. This issue stems from a fundamental failure in how the application handles authentication state transitions, specifically within the trainer-login endpoint functionality. The vulnerability allows any gym trainer to gain unauthorized access to higher-privileged accounts by exploiting a session flag manipulation pattern that bypasses normal permission checks. This flaw exists at the intersection of weak session validation and inadequate privilege boundaries, creating a pathway for unauthorized elevation of privileges.

The technical implementation of this vulnerability relies on the improper handling of the trainer.identity session flag which serves as an insecure direct object reference mechanism. When a legitimate trainer performs a user switch operation to a lower-privileged account, the system sets the trainer.identity flag in the session state without proper validation or token regeneration. This flag then becomes a persistent access credential that bypasses all subsequent authentication checks on trainer-login calls. The vulnerability demonstrates a classic case of insufficient privilege management where session state is not properly invalidated or re-validated after user switching operations, creating an insecure session continuation scenario that directly violates secure coding principles.

The operational impact of this vulnerability extends far beyond simple unauthorized access, as it provides complete administrative control over fitness facility operations. An attacker with trainer privileges can access comprehensive member databases including personal health information, contract details, and financial records while also gaining the ability to modify gym configurations, manage personnel assignments, and view confidential communications between trainers and managers. This level of access violates data protection principles and creates significant risks for privacy compliance, particularly in environments governed by regulations such as gdpr or hipaa where personal health information must be strictly controlled. The vulnerability essentially transforms a limited trainer account into a full administrative tool that can be used to compromise the entire facility's operational integrity.

This vulnerability aligns with multiple CWE categories including cw305 improper authentication and cw617 reachable assertion, while also mapping to several ATT&CK techniques such as privilege escalation through access token manipulation and credential access via session hijacking. The issue demonstrates how insufficient session management can lead to complete system compromise, with the attack vector being particularly dangerous due to its simplicity and the broad scope of permissions granted. Organizations using affected versions should immediately implement patch management procedures to address this vulnerability, while also conducting comprehensive security audits to identify similar session management flaws in other applications. The fix implemented in version 2.6 likely involves proper session state validation and token regeneration after user switching operations, ensuring that privilege escalation attempts are properly rejected and that session boundaries are maintained according to established security frameworks.

Disclosure

07/17/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!