External risk intelligence

Attacker can take over accounts by resetting passwords in wger

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-43948

An internal attacker with existing wger permissions can reset the passwords of other users to take over their accounts. This enables unauthorized access to user profiles and sensitive information.

3Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-43948

wger is a web-based fitness management application. While typically a web-accessible product, these are frequently self-hosted in private, internal, or restricted environments. Access requires a user to hold specific, pre-existing administrative permissions. This structure makes broad public exposure and reachability less certain than for standard internet-facing web infrastructure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the wger workout and fitness manager could allow an attacker to take over any user's account. The issue lies in how the system checks user permissions before resetting passwords, creating a loophole when both the attacker and victim are not assigned to a specific gym. This allows an unauthorized user to reset another user's password and gain full access.

  • Full account takeover is possible.
  • Affects users without gym assignments.
  • Plaintext password exposed in response.

Attack Path

How an attacker could exploit the issue

An attacker with basic user privileges and no gym assignment can exploit this flaw to reset the password of any other user who also has no gym assignment. This is achieved by abusing the faulty authorization check in password reset and user edit functions, which incorrectly allows the bypass when both users lack a gym. The new password is then displayed directly in the HTML response, enabling an immediate account takeover.

  • Requires authenticated access.
  • Targets password reset functionality.
  • Exploits `None != None` logic flaw.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for account takeover by exploiting a flawed authorization check in password reset functionality. While the vulnerability is rated critical and offers direct account access, its exploitation is likely limited to authenticated users with specific permissions within a gym-scopable environment. Attackers might favor this if they can gain initial low-privilege access.

  • Exploitation requires authentication.
  • No public exploit code observed.
  • Fix available in version 2.6.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Focus on containing and monitoring services using wger versions prior to 2.6, as a critical vulnerability allows for account takeover by bypassing authorization checks. Given the advisory is marked as "Deferred," a patch is available but may not have been universally applied.

  • Upgrade to wger 2.6 or later.
  • Monitor for unauthorized password resets or account takeovers.
  • Restrict access to vulnerable wger instances.

Frequently asked questions

What is wger and what is it used for?

wger is a free, open-source application designed for managing workouts and fitness activities. It helps users track their exercise routines and manage fitness-related information.

How does CVE-2026-43948 allow account takeover?

CVE-2026-43948 is a bypass vulnerability. It exploits a flaw in how wger checks user permissions during password resets, specifically when neither the attacker nor the victim is assigned to a gym. This bypass allows an attacker to reset another user's password, gaining full account control.

What are the conditions needed to exploit this wger vulnerability?

To exploit this vulnerability, an attacker needs to be authenticated and have specific permissions, such as `gym.manage_gym`. Crucially, both the attacker and the target user must not be assigned to any gym (gym=None) for the authorization bypass to occur.

Who should be concerned about this CVE-2026-43948 threat?

Organizations using wger versions prior to 2.6 should be concerned. While wger is often self-hosted, this vulnerability has a 'Possible' exposure signal, meaning it could be accessible internally or externally, and requires authenticated access to exploit.

What is the first step to respond to this threat?

The immediate first step for anyone running wger versions before 2.6 is to upgrade to version 2.6 or later, where the vulnerability has been fixed. Monitoring for unauthorized password resets or account takeovers is also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified