CVE-2026-40474 HIGH

CVE-2026-40474: wger has Broken Access Control in the Global Gym Configuration Update Endpoint

Vendor Wger-Project

Product wger

Weakness CWE-284

Published April 17, 2026

Last update April 20, 2026

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.

Key dates

02Disclosure timeline

April 17, 2026 CVE published

April 20, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-40474 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

CVE-2026-40474: wger has Broken Access Control in the Global Gym Configuration Update Endpoint

01Description

02Disclosure timeline

03References

04Related CVE