{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40474", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.113Z", "datePublished": "2026-04-17T21:39:03.677Z", "dateUpdated": "2026-04-20T16:08:12.427Z"}, "containers": {"cna": {"title": "wger has Broken Access Control in the Global Gym Configuration Update Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8m"}, {"name": "https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523f", "tags": ["x_refsource_MISC"], "url": "https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523f"}, {"name": "https://github.com/wger-project/wger/releases/tag/2.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/wger-project/wger/releases/tag/2.5"}], "affected": [{"vendor": "wger-project", "product": "wger", "versions": [{"version": "< 2.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:39:03.677Z"}, "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments \u2014 a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5."}], "source": {"advisory": "GHSA-xppv-4jrx-qf8m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:07:54.509720Z", "id": "CVE-2026-40474", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:08:12.427Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40474", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:07:54.509720Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:08:06.942Z"}}], "cna": {"title": "wger has Broken Access Control in the Global Gym Configuration Update Endpoint", "source": {"advisory": "GHSA-xppv-4jrx-qf8m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "wger-project", "product": "wger", "versions": [{"status": "affected", "version": "< 2.5"}]}], "references": [{"url": "https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8m", "name": "https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523f", "name": "https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/wger-project/wger/releases/tag/2.5", "name": "https://github.com/wger-project/wger/releases/tag/2.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments \u2014 a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:39:03.677Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40474", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:08:12.427Z", "dateReserved": "2026-04-13T19:50:42.113Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T21:39:03.677Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*", "matchCriteriaId": "7674E242-4B20-48B6-95C2-118E1DD4D29B", "versionEndExcluding": "2.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments \u2014 a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5."}], "id": "CVE-2026-40474", "lastModified": "2026-04-24T14:46:22.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T22:16:33.213", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523f"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/wger-project/wger/releases/tag/2.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wger", "source": "cna", "vendor": "wger-project"}, "product": "wger", "vendor": "wger-project"}], "analysis": {"en": {"generated_at": "2026-04-18T17:04:48.313914+00:00", "value": {"mitigation_remediation": ["Upgrade wger to version 2.5 or later to apply the fixed permission enforcement", "Configure the permissions so that only users in the administrator group have the 'config.change_gymconfig' permission, and revoke it from all other users", "Enable logging of all actions to the global gym configuration so that changes are auditable and can be reviewed for unauthorized modifications"], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "This issue affects all releases of wger prior to the 2.5 release. The mitigation was applied in version 2.5, which replaces the incorrect mixin with the proper permission enforcement logic. System administrators should verify the installed version and upgrade accordingly.", "description_and_impact": "The GymConfigUpdateView incorrectly inherits the permission mixin, causing the declared permission 'config.change_gymconfig' to never be checked at runtime. Any authenticated user can therefore change the global gym configuration, triggering side effects that bulk\u2011update all user gym assignments. The attacker thereby gains installation\u2011wide configuration control, a form of vertical privilege escalation that bypasses the intended access restrictions.", "risk_and_exploitability": "With a CVSS score of 7.6 the vulnerability is considered high severity; it requires the attacker to be authenticated, which is a low barrier for any user. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating no known widespread exploitation yet. Nonetheless, because any logged\u2011in user can modify global settings that affect all users, the potential impact on integrity and availability is significant, and the vulnerability should be treated as a priority for remediation."}}}}, "created": "2026-04-17T22:30:29.499278+00:00", "updated": "2026-04-18T17:15:05.777401+00:00", "vendors": ["wger-project", "wger-project$PRODUCT$wger"]}