{"api_version":"1","generated_at":"2026-07-17T16:43:27+00:00","cve":"CVE-2026-43978","urls":{"html":"https://cve.report/CVE-2026-43978","api":"https://cve.report/api/cve/CVE-2026-43978.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43978","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43978"},"summary":{"title":"wger: Privilege escalation via trainer-login session chaining allows gym trainers to impersonate gym managers","description":"wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information. This issue has been fixed in version 2.6.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-16 23:16:16","updated_at":"2026-07-17 11:17:13"},"problem_types":["CWE-269","CWE-269 CWE-269: Improper Privilege Management"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/wger-project/wger/security/advisories/GHSA-9qpr-vc49-hqg2","name":"https://github.com/wger-project/wger/security/advisories/GHSA-9qpr-vc49-hqg2","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43978","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43978","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"wger-project","product":"wger","version":"affected < 2.6","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-43978","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-07-17T10:49:18.653519Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-17T10:49:37.286Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/wger-project/wger/security/advisories/GHSA-9qpr-vc49-hqg2"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"wger","vendor":"wger-project","versions":[{"status":"affected","version":"< 2.6"}]}],"descriptions":[{"lang":"en","value":"wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information. This issue has been fixed in version 2.6."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-269","description":"CWE-269: Improper Privilege Management","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-16T22:11:57.629Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/wger-project/wger/security/advisories/GHSA-9qpr-vc49-hqg2","tags":["x_refsource_CONFIRM"],"url":"https://github.com/wger-project/wger/security/advisories/GHSA-9qpr-vc49-hqg2"}],"source":{"advisory":"GHSA-9qpr-vc49-hqg2","discovery":"UNKNOWN"},"title":"wger: Privilege escalation via trainer-login session chaining allows gym trainers to impersonate gym managers"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-43978","datePublished":"2026-07-16T22:11:57.629Z","dateReserved":"2026-05-04T20:24:31.916Z","dateUpdated":"2026-07-17T10:49:37.286Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-16 23:16:16","lastModifiedDate":"2026-07-17 11:17:13","problem_types":["CWE-269","CWE-269 CWE-269: Improper Privilege Management"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-17T10:49:18.653519Z","id":"CVE-2026-43978","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43978","Ordinal":"1","Title":"wger: Privilege escalation via trainer-login session chaining al","CVE":"CVE-2026-43978","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43978","Ordinal":"1","NoteData":"wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information. This issue has been fixed in version 2.6.","Type":"Description","Title":"wger: Privilege escalation via trainer-login session chaining al"}]}}}