Vertical Privilege Escalation in Wger Workout Manager Affects User Configuration Control
CVE-2026-40474

7.6HIGH

Key Information:

Vendor

Wger-project

Status
Wger
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40474?

The wger workout and fitness manager, in versions 2.5 and below, contains a notable vulnerability where the GymConfigUpdateView fails to enforce proper permissions due to incorrect inheritance. This flaw allows any authenticated user to make unauthorized modifications to the global gym configuration, leading to unintended side effects that can alter user profile assignments across the installation. This situation presents a significant risk, as it can lead to a complete takeover of the installation’s configuration settings. Users are advised to upgrade to version 2.5, where this vulnerability has been resolved.

Affected Version(s)

wger < 2.5

References

https://github.com/wger-project/wger/security/advisories/...
x_refsource_CONFIRM
https://github.com/wger-project/wger/commit/47ee5af93b3ce...
x_refsource_MISC
https://github.com/wger-project/wger/releases/tag/2.5
x_refsource_MISC

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.