CVE-2026-43948 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: May 13, 2026
wger - Broken Access Control & Information Disclosure
Published: May 12, 2026Updated: May 13, 2026Remote Exploitable
Overview
wger < 2.6 contains a broken access control caused by improper gym-scope authorization check using Python object comparison in reset_user_password and gym_permissions_user_edit views, letting users with gym.manage_gym permission and gym=None reset passwords of other gym=None users and obtain plaintext passwords, exploit requires gym.manage_gym permission and gym=None.
Severity & Score
Severity: Critical
CVSS Score: 9.9
Impact
Attackers can fully take over accounts of users with no gym assignment by resetting passwords and obtaining plaintext passwords.
Mitigation
Update to version 2.6 or later.
Related Resources
Details
- CVE ID
- CVE-2026-43948
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- broken_access_control
- Status
- rejected
CWE
- CWE-863
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H