๐Ÿ” CVE Alert

CVE-2026-43978

HIGH 8.1

wger: Privilege escalation via trainer-login session chaining allows gym trainers to impersonate gym managers

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information. This issue has been fixed in version 2.6.

CWE CWE-269
Vendor wger-project
Product wger
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for wger-project wger

Be the first to know when new high vulnerabilities affecting wger-project wger are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

wger-project / wger
< 2.6

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/wger-project/wger/security/advisories/GHSA-9qpr-vc49-hqg2