CVE-2026-43948: CWE-863: Incorrect Authorization in wger-project wger
wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment (gym=None). A user with gym.manage_gym permission and gym=None can reset the password of any other gym=None user; the new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently. This vulnerability is fixed in 2.6.
AI Analysis
Technical Summary
The vulnerability in wger before version 2.6 involves an incorrect authorization check in the reset_user_password and gym_permissions_user_edit views. The check uses Python object comparison (!=) which evaluates None != None as False, bypassing authorization when both users have no gym assigned. This flaw allows a user with gym.manage_gym permission and no gym assignment to reset passwords of other users also without gym assignments. The new password is returned in plaintext in the HTML response, enabling immediate account takeover and permanent lockout of the victim. The vulnerability is addressed in wger 2.6.
Potential Impact
An attacker with gym.manage_gym permission and no gym assignment can reset any other gym=None user's password and obtain the new password in plaintext, leading to full account takeover. The victim's original password is invalidated, causing permanent lockout. The vulnerability has a CVSS score of 9.9 (critical), indicating high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability is fixed in wger version 2.6. Users should upgrade to version 2.6 or later to remediate this issue. No official patch or temporary fix is indicated other than upgrading. Since this is not a cloud service, remediation depends on user action to update the software.
CVE-2026-43948: CWE-863: Incorrect Authorization in wger-project wger
Description
wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment (gym=None). A user with gym.manage_gym permission and gym=None can reset the password of any other gym=None user; the new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently. This vulnerability is fixed in 2.6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in wger before version 2.6 involves an incorrect authorization check in the reset_user_password and gym_permissions_user_edit views. The check uses Python object comparison (!=) which evaluates None != None as False, bypassing authorization when both users have no gym assigned. This flaw allows a user with gym.manage_gym permission and no gym assignment to reset passwords of other users also without gym assignments. The new password is returned in plaintext in the HTML response, enabling immediate account takeover and permanent lockout of the victim. The vulnerability is addressed in wger 2.6.
Potential Impact
An attacker with gym.manage_gym permission and no gym assignment can reset any other gym=None user's password and obtain the new password in plaintext, leading to full account takeover. The victim's original password is invalidated, causing permanent lockout. The vulnerability has a CVSS score of 9.9 (critical), indicating high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability is fixed in wger version 2.6. Users should upgrade to version 2.6 or later to remediate this issue. No official patch or temporary fix is indicated other than upgrading. Since this is not a cloud service, remediation depends on user action to update the software.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T16:59:09.090Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0399d6cbff5d86101a890f
Added to database: 5/12/2026, 9:21:26 PM
Last enriched: 5/12/2026, 9:37:35 PM
Last updated: 5/13/2026, 4:52:24 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.