CVE-2026-43978
Received Received - Intake

Session Hijacking in wger Workout Manager

Vulnerability report for CVE-2026-43978, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information. This issue has been fixed in version 2.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wger wger to 2.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in wger versions prior to 2.6 allows a gym trainer to escalate their session privileges to any higher-privileged account, such as gym manager or general manager. This is achieved by chaining two calls to the trainer-login endpoint. Once a trainer switches to a low-privileged user, the session flag trainer.identity is set, which bypasses permission checks on subsequent calls. This grants full gym administration capabilities, including access to member data and configuration settings.

Detection Guidance

Check if your wger instance is running a version prior to 2.6 by inspecting the version file or running the command: wger --version. Look for unauthorized privilege escalation attempts in logs, particularly repeated trainer-login calls with session flag trainer.identity set.

Impact Analysis

If you are a gym trainer or user of wger prior to version 2.6, an attacker could exploit this flaw to gain unauthorized access to higher-privileged accounts. This could lead to exposure of sensitive data, unauthorized modifications to gym settings, or misuse of member information. Users should update to version 2.6 or later to mitigate this risk.

Compliance Impact

This vulnerability could lead to unauthorized access to personal data, violating GDPR and HIPAA requirements for data protection and access controls. Organizations using affected versions may face compliance violations, legal penalties, and reputational damage due to potential data breaches.

Mitigation Strategies

Upgrade wger to version 2.6 or later immediately. If upgrading is not possible, restrict access to the trainer-login endpoint and monitor for suspicious session flag changes. Review user permissions and audit logs for any unauthorized privilege escalations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43978. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart