EXECUTIVE SUMMARY:
CVE-2026-43948 with a CVSS score of 9.9 is a critical vulnerability affecting the wger package, specifically versions <= 2.5. The vulnerability resides in the `reset_user_password` and `gym_permissions_user_edit` views, which perform a gym-scope authorization check using Python object comparison. However, when both the attacker and victim have no gym assignment (`gym=None`), the authorization guard is silently bypassed, allowing an attacker with `gym .manage_gym` permission and `gym=None` to reset the password of any other `gym=None` user. The new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently. An attacker can exploit this vulnerability by sending a GET request to the `/en /gym /user / /reset-user-password` or `/en /gym /user / /edit` endpoint, requiring only a session with `gym .manage_gym` permission and `gym=None`. The capability gained by the attacker is the ability to reset and disclose any other `gym=None` user's plaintext password, resulting in a permanent lockout of the victim. The business impact of this vulnerability is significant, as it allows for account takeover and permanent lockout of users, potentially leading to data breaches and compromised user identities.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-43948 with a CVSS score of 9.9 is a critical vulnerability affecting the wger package, specifically versions <= 2.5. The vulnerability resides in the `reset_user_password` and `gym_permissions_user_edit` views, which perform a gym-scope authorization check using Python object comparison. However, when both the attacker and victim have no gym assignment (`gym=None`), the authorization guard is silently bypassed, allowing an attacker with `gym .manage_gym` permission and `gym=None` to reset the password of any other `gym=None` user. The new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently. An attacker can exploit this vulnerability by sending a GET request to the `/en /gym /user / /reset-user-password` or `/en /gym /user / /edit` endpoint, requiring only a session with `gym .manage_gym` permission and `gym=None`. The capability gained by the attacker is the ability to reset and disclose any other `gym=None` user's plaintext password, resulting in a permanent lockout of the victim. The business impact of this vulnerability is significant, as it allows for account takeover and permanent lockout of users, potentially leading to data breaches and compromised user identities.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update wger to version 2.6.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-mhc8-p3jx-84mm