PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43978 wger-project CVE debrief

A vulnerability in wger, a free, open-source workout and fitness manager, allows a gym trainer to escalate their session to any higher-privileged account by chaining two calls to the trainer-login endpoint. This grants full gym administration capabilities. The vulnerability has been fixed in version 2.6. Users of wger versions prior to 2.6, particularly gym administrators and trainers, should be aware of this vulnerability and take steps to mitigate it. The vulnerability has a CVSS score of 8.1 and is considered HIGH severity.

Vendor
wger-project
Product
wger
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of wger versions prior to 2.6, particularly gym administrators and trainers, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 2.6 or later, monitoring for suspicious activity related to trainer-login endpoint calls, and restricting access to the trainer-login endpoint. Additionally, gym administrators and trainers should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information.

Defensive priority

High priority should be given to updating wger to version 2.6 or later, as well as monitoring for suspicious activity related to trainer-login endpoint calls.

Recommended defensive actions

  • Update wger to version 2.6 or later
  • Monitor for suspicious activity related to trainer-login endpoint calls
  • Restrict access to the trainer-login endpoint
  • Implement additional logging and monitoring for gym administration activities
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-16T23:16:16.310Z and has not been modified since then. The NVD entry is currently 8.1 HIGH. This information is based on the NVD entry and the CVE record. The vulnerability affects wger versions prior to 2.6. There may be additional information available from the vendor or other sources that could help defenders verify the vulnerability and its impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T23:16:16.310Z and has not been modified since then.