Back to CVE risk briefs

External risk intelligence

wger could allow privileged users to take over other user accounts.

The wger workout and fitness manager could allow a privileged user to reset passwords for other accounts. This flaw could lead to the exposure of sensitive customer data and permanent account lockouts for those affected.

NVD published May 12, 2026 (2 days ago)

External risk briefCRITICAL

CVE-2026-43948

Halo Surface Signal

4/ 5

wger is a web-based workout and fitness management application. These applications are typically designed to be accessible via a web browser and are commonly deployed as internet-facing services to allow users to manage their data and accounts remotely. Consequently, the application interface and its administrative functions are frequently reachable from the public internet.

Exposure facts

CVSS
9.9
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
0.01%

H – Horizon Alert

The wger workout and fitness manager contains an authorization vulnerability that could allow unauthorized individuals to gain control over other user accounts. Due to a flaw in how the system verifies user permissions, an attacker may be able to reset another user's password and obtain their credentials directly. This full account takeover capability not only exposes sensitive personal data but also permanently locks the legitimate user out of their profile.

A – Asset Exposure

The wger workout and fitness management software contains an authorization flaw that could impact the security of user accounts. An authenticated user with specific administrative permissions might be able to bypass intended restrictions to reset the credentials of other users, resulting in unauthorized access and permanent account lockout. This vulnerability directly affects customer data and user access, particularly within deployments managing users who are not assigned to a specific gym.

L – Live Threat

The currently available information does not indicate active exploitation or observed targeting in the wild. We have not identified reports of public exploit code or proof-of-concept activity associated with this issue. Consequently, there are no immediate live-threat signals to suggest an elevated risk of external exploitation at this time.

O – Operational Fix

Please update your wger installation to the latest version provided by the vendor to address this vulnerability. This update includes the necessary security fixes to resolve the authorization flaw impacting user account management. We recommend verifying your deployment after the update to ensure that standard security controls are correctly functioning.

References