wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information. This issue has been fixed in version 2.6.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-9qpr-vc49-hqg2 | wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 16 Jul 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Wger-project
Wger-project wger |
|
| Vendors & Products |
Wger-project
Wger-project wger |
Thu, 16 Jul 2026 22:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information. This issue has been fixed in version 2.6. | |
| Title | wger: Privilege escalation via trainer-login session chaining allows gym trainers to impersonate gym managers | |
| Weaknesses | CWE-269 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T22:11:57.629Z
Reserved: 2026-05-04T20:24:31.916Z
Link: CVE-2026-43978
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T23:30:07Z
Weaknesses
Github GHSA