wger: cross-tenant password reset and plaintext disclosure via gym=None bypass — CVE-2026-43948
GitHub · GitHub · CVE-2026-43948
ID
CVE-2026-43948
CVE-2026-43948
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.9
9.9
EPSS
0.00012
0.00012
Summary
### Summary The `reset_user_password` and `gym_permissions_user_edit` views in wger perform a gym-scope authorization check using Python object comparison (`!=`) that evaluates `None != None` as `False`, silently bypassing the guard when both the attacker and victim have no gym assignment (`gym=None`). A user with `gym.manage_gym` permission and `gym=None` can reset the password of **any other `gym=None` user**;…
Product
pip: wger
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.