PatchSiren cyber security CVE debrief
CVE-2026-43978 wger-project CVE debrief
A vulnerability in wger, a free, open-source workout and fitness manager, allows a gym trainer to escalate their session to any higher-privileged account by chaining two calls to the trainer-login endpoint. This grants full gym administration capabilities. The vulnerability has been fixed in version 2.6. Users of wger versions prior to 2.6, particularly gym administrators and trainers, should be aware of this vulnerability and take steps to mitigate it. The vulnerability has a CVSS score of 8.1 and is considered HIGH severity.
- Vendor
- wger-project
- Product
- wger
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of wger versions prior to 2.6, particularly gym administrators and trainers, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 2.6 or later, monitoring for suspicious activity related to trainer-login endpoint calls, and restricting access to the trainer-login endpoint. Additionally, gym administrators and trainers should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
Technical summary
In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information.
Defensive priority
High priority should be given to updating wger to version 2.6 or later, as well as monitoring for suspicious activity related to trainer-login endpoint calls.
Recommended defensive actions
- Update wger to version 2.6 or later
- Monitor for suspicious activity related to trainer-login endpoint calls
- Restrict access to the trainer-login endpoint
- Implement additional logging and monitoring for gym administration activities
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-16T23:16:16.310Z and has not been modified since then. The NVD entry is currently 8.1 HIGH. This information is based on the NVD entry and the CVE record. The vulnerability affects wger versions prior to 2.6. There may be additional information available from the vendor or other sources that could help defenders verify the vulnerability and its impact.
Official resources
-
CVE-2026-43978 CVE record
CVE.org
-
CVE-2026-43978 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T23:16:16.310Z and has not been modified since then.