CVE-2026-40474 in wgerinformation

Résumé

par MITRE • 18/04/2026

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

GitHub M

Réserver

13/04/2026

Divulgation

18/04/2026

Modérer

accepté

Entrée

VDB-358137

CPE

prêt

CWE

CWE-284 (confirmé)

CVSS

7.6 (CNA)

EPSS

0.00015

KEV

non

Activités

très faible

Secteur

Energy, Agriculture, ...

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-40474
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-40474
CVE Details	https://www.cvedetails.com/cve/CVE-2026-40474/

◂ Précédent Aperçu Suivant ▸

Want to know what is going to be exploited?

We predict KEV entries!