Description

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.

INFO

Published Date :

2026-04-17T21:39:03.677Z

Last Modified :

2026-04-20T16:08:12.427Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40474 vulnerability.

Vendors Products
Wger
  • Wger
Wger-project
  • Wger
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40474.

URL Resource
https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523f cve-icon cve-icon
https://github.com/wger-project/wger/releases/tag/2.5 cve-icon cve-icon
https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8m cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact