← Volver a CVEs
CVE-2026-40474
HIGH7.6
Descripcion
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.
Detalles CVE
Puntuacion CVSS v3.17.6
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado4/17/2026
Ultima modificacion4/17/2026
Fuentenvd
Avistamientos honeypot0
Debilidades (CWE)
CWE-284CWE-862
Referencias
https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523f(security-advisories@github.com)
https://github.com/wger-project/wger/releases/tag/2.5(security-advisories@github.com)
https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8m(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.