Vulnerability Description
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wger | Wger | < 2.5 |
Related Weaknesses (CWE)
References
- https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9Patch
- https://github.com/wger-project/wger/releases/tag/2.5Release Notes
- https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8mExploitVendor Advisory
FAQ
What is CVE-2026-40474?
CVE-2026-40474 is a vulnerability with a CVSS score of 7.6 (HIGH). wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead ...
How severe is CVE-2026-40474?
CVE-2026-40474 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40474?
Check the references section above for vendor advisories and patch information. Affected products include: Wger Wger.