CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14546 vulnerabilities reference this CWE, most recent first.
GHSA-XMXF-WJR9-RPWR
Vulnerability from github – Published: 2023-07-12 09:30 – Updated: 2024-04-04 06:02In telephony service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.
{
"affected": [],
"aliases": [
"CVE-2023-30929"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T09:15:11Z",
"severity": "HIGH"
},
"details": "In telephony service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.",
"id": "GHSA-xmxf-wjr9-rpwr",
"modified": "2024-04-04T06:02:45Z",
"published": "2023-07-12T09:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30929"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1676902764208259073"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XP5G-JHG3-3RG2
Vulnerability from github – Published: 2023-05-22 00:30 – Updated: 2023-05-30 23:12iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "snarkjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.6.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-33252"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-22T19:37:12Z",
"nvd_published_at": "2023-05-21T22:15:14Z",
"severity": "HIGH"
},
"details": "iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.",
"id": "GHSA-xp5g-jhg3-3rg2",
"modified": "2023-05-30T23:12:12Z",
"published": "2023-05-22T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33252"
},
{
"type": "PACKAGE",
"url": "https://github.com/iden3/snarkjs"
},
{
"type": "WEB",
"url": "https://github.com/iden3/snarkjs/commits/master/src/groth16_verify.js"
},
{
"type": "WEB",
"url": "https://github.com/iden3/snarkjs/tags"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Double spend in snarkjs"
}
GHSA-XP77-G88W-H7MG
Vulnerability from github – Published: 2022-01-28 00:02 – Updated: 2026-05-18 15:30Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials.
{
"affected": [],
"aliases": [
"CVE-2021-44793"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-27T13:15:00Z",
"severity": "HIGH"
},
"details": "Single Connect does not perform an authorization check when using the sc-reports-ui\" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials.",
"id": "GHSA-xp77-g88w-h7mg",
"modified": "2026-05-18T15:30:31Z",
"published": "2022-01-28T00:02:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44793"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-22-0093"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-22-0093"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XP82-R324-2W4V
Vulnerability from github – Published: 2025-04-29 09:31 – Updated: 2025-04-29 09:31The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.
{
"affected": [],
"aliases": [
"CVE-2025-3452"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-29T09:15:16Z",
"severity": "MODERATE"
},
"details": "The SecuPress Free \u2014 WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027secupress_reinstall_plugins_admin_ajax_cb\u0027 function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.",
"id": "GHSA-xp82-r324-2w4v",
"modified": "2025-04-29T09:31:37Z",
"published": "2025-04-29T09:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3452"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/secupress/trunk/free/modules/plugins-themes/tools.php#L686"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3283453"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9125873-aedd-4334-b8e0-74b67d301904?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XPF8-P6C2-QCP9
Vulnerability from github – Published: 2026-06-16 12:32 – Updated: 2026-06-16 12:32The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_pay_for_order() function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the wc_stripe_pay_for_order WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.
{
"affected": [],
"aliases": [
"CVE-2026-2381"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T10:16:26Z",
"severity": "MODERATE"
},
"details": "The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to \"failed\" via sequential order ID enumeration.",
"id": "GHSA-xpf8-p6c2-qcp9",
"modified": "2026-06-16T12:32:01Z",
"published": "2026-06-16T12:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2381"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-gateway-stripe/tags/10.3.1/includes/class-wc-gateway-stripe.php#L523"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-gateway-stripe/tags/10.3.1/includes/payment-methods/class-wc-stripe-express-checkout-ajax-handler.php#L355"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3564842/woocommerce-gateway-stripe/trunk/includes/payment-methods/class-wc-stripe-express-checkout-ajax-handler.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoocommerce-gateway-stripe/tags/10.7.0\u0026new_path=%2Fwoocommerce-gateway-stripe/tags/10.8.0"
},
{
"type": "WEB",
"url": "https://research.cleantalk.org/cve-2026-2381"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab3b52f7-e2c3-44f7-8e19-b6c51ccd50e0?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XPGC-7VC2-8725
Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 21:07Concrete CMS 9.5.0 and below is vulnerable to IDOR. The /ccm/frontend/conversations/message_detail endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8237"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-24T21:07:30Z",
"nvd_published_at": "2026-05-21T22:16:49Z",
"severity": "MODERATE"
},
"details": "Concrete CMS 9.5.0 and below is vulnerable to IDOR.\u00a0The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed.",
"id": "GHSA-xpgc-7vc2-8725",
"modified": "2026-06-24T21:07:30Z",
"published": "2026-05-22T00:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8237"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Concrete CMS is vulnerable to IDOR"
}
GHSA-XPH3-VJCQ-G488
Vulnerability from github – Published: 2023-08-02 12:30 – Updated: 2025-08-08 21:12The organization selector before 4.0.14 from Liferay Portal (7.4.3.81 through 7.4.3.85), and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay:com.liferay.organizations.item.selector.web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.4.143.u81"
},
{
"last_affected": "7.4.143.u85"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-3426"
],
"database_specific": {
"cwe_ids": [
"CWE-425",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-08T21:12:51Z",
"nvd_published_at": "2023-08-02T10:15:09Z",
"severity": "MODERATE"
},
"details": "The organization selector before 4.0.14 from Liferay Portal (7.4.3.81 through 7.4.3.85), and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.",
"id": "GHSA-xph3-vjcq-g488",
"modified": "2025-08-08T21:12:51Z",
"published": "2023-08-02T12:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3426"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/b410f40233394d1d3d1076189befd4b33ba9fb47"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions "
}
GHSA-XPJH-VMFM-8QMF
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-28 15:31An authentication issue was addressed with improved state management. This issue is fixed in Safari 18.2, macOS Sequoia 15.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2. Private Browsing tabs may be accessed without authentication.
{
"affected": [],
"aliases": [
"CVE-2024-54542"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:14Z",
"severity": "HIGH"
},
"details": "An authentication issue was addressed with improved state management. This issue is fixed in Safari 18.2, macOS Sequoia 15.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2. Private Browsing tabs may be accessed without authentication.",
"id": "GHSA-xpjh-vmfm-8qmf",
"modified": "2025-01-28T15:31:56Z",
"published": "2025-01-28T00:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54542"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121837"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121843"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121846"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XPPM-25H7-QF3Q
Vulnerability from github – Published: 2025-10-27 03:30 – Updated: 2026-01-20 15:31Missing Authorization vulnerability in Codeinwp Revive Old Posts tweet-old-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive Old Posts: from n/a through <= 9.3.3.
{
"affected": [],
"aliases": [
"CVE-2025-62954"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-27T02:15:55Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in Codeinwp Revive Old Posts tweet-old-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive Old Posts: from n/a through \u003c= 9.3.3.",
"id": "GHSA-xppm-25h7-qf3q",
"modified": "2026-01-20T15:31:36Z",
"published": "2025-10-27T03:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62954"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/tweet-old-post/vulnerability/wordpress-revive-old-posts-plugin-9-3-3-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/tweet-old-post/vulnerability/wordpress-revive-old-posts-plugin-9-3-3-broken-access-control-vulnerability"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/tweet-old-post/vulnerability/wordpress-revive-old-posts-plugin-9-3-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XPPV-4JRX-QF8M
Vulnerability from github – Published: 2026-04-16 01:35 – Updated: 2026-04-24 20:51Summary
wger exposes a global configuration edit endpoint at /config/gym-config/edit implemented by GymConfigUpdateView. The view declares permission_required = 'config.change_gymconfig' but does not enforce it because it inherits WgerFormMixin (ownership-only checks) instead of the project’s permission-enforcing mixin (WgerPermissionMixin) .
The edited object is a singleton (GymConfig(pk=1)) and the model does not implement get_owner_object(), so WgerFormMixin skips ownership enforcement. As a result, a low-privileged authenticated user can modify installation-wide configuration and trigger server-side side effects in GymConfig.save().
This is a vertical privilege escalation from a regular user to privileged global configuration control. The application explicitly declares permission_required = 'config.change_gymconfig', demonstrating that the action is intended to be restricted; however, this requirement is never enforced at runtime.
Affected endpoint
The config URLs map as follows.
File: wger/config/urls.py
patterns_gym_config = [
path('edit', gym_config.GymConfigUpdateView.as_view(), name='edit'),
]
urlpatterns = [
path(
'gym-config/',
include((patterns_gym_config, 'gym_config'), namespace='gym_config'),
),
]
This resolves to:
/config/gym-config/edit
Root cause
The view declares a permission but does not enforce it
File: wger/config/views/gym_config.py
class GymConfigUpdateView(WgerFormMixin, UpdateView):
model = GymConfig
fields = ('default_gym',)
permission_required = 'config.change_gymconfig'
success_url = reverse_lazy('gym:gym:list')
title = gettext_lazy('Edit')
def get_object(self):
return GymConfig.objects.get(pk=1)
The permission string exists, but WgerFormMixin does not check permission_required.
The project’s permission mixin exists but is not used
File: wger/utils/generic_views.py
class WgerPermissionMixin:
permission_required = False
login_required = False
def dispatch(self, request, *args, **kwargs):
if self.login_required or self.permission_required:
if not request.user.is_authenticated:
return HttpResponseRedirect(
reverse_lazy('core:user:login') + f'?next={request.path}'
)
if self.permission_required:
has_permission = False
if isinstance(self.permission_required, tuple):
for permission in self.permission_required:
if request.user.has_perm(permission):
has_permission = True
elif request.user.has_perm(self.permission_required):
has_permission = True
if not has_permission:
return HttpResponseForbidden('You are not allowed to access this object')
return super(WgerPermissionMixin, self).dispatch(request, *args, **kwargs)
GymConfigUpdateView does not inherit this mixin, so none of the login/permission logic runs.
The mixin that is used performs only ownership checks, and GymConfig has no owner
File: wger/utils/generic_views.py
class WgerFormMixin(ModelFormMixin):
def dispatch(self, request, *args, **kwargs):
self.kwargs = kwargs
self.request = request
if self.owner_object:
owner_object = self.owner_object['class'].objects.get(pk=kwargs[self.owner_object['pk']])
else:
try:
owner_object = self.get_object().get_owner_object()
except AttributeError:
owner_object = False
if owner_object and owner_object.user != self.request.user:
return HttpResponseForbidden('You are not allowed to access this object')
return super(WgerFormMixin, self).dispatch(request, *args, **kwargs)
File: wger/config/models/gym_config.py
class GymConfig(models.Model):
default_gym = models.ForeignKey(
Gym,
verbose_name=_('Default gym'),
# ...
null=True,
blank=True,
on_delete=models.CASCADE,
)
# No get_owner_object() method
Because GymConfig does not implement get_owner_object(), WgerFormMixin catches AttributeError and sets owner_object = False, skipping any access restriction.
Security impact
This is not a cosmetic setting: GymConfig.save() performs installation-wide side effects.
File: wger/config/models/gym_config.py
def save(self, *args, **kwargs):
if self.default_gym:
UserProfile.objects.filter(gym=None).update(gym=self.default_gym)
for profile in UserProfile.objects.filter(gym=self.default_gym):
user = profile.user
if not is_any_gym_admin(user):
try:
user.gymuserconfig
except GymUserConfig.DoesNotExist:
config = GymUserConfig()
config.gym = self.default_gym
config.user = user
config.save()
return super(GymConfig, self).save(*args, **kwargs)
On deployments with multiple gyms, this allows a low-privileged user to tamper with tenant assignment defaults, affecting new registrations and bulk-updating existing users lacking a gym. This permits unauthorized modification of installation-wide state and bulk updates to other users’ records, violating the intended administrative trust boundary.
Proof of concept (local verification)
Environment: local docker compose stack, accessed via http://127.0.0.1:8088/en/.
Observed behavior
An unauthenticated user can reach the endpoint via GET; POST requires authentication and redirects to login.
An authenticated low-privileged user can submit the form and change the global singleton. After the save, the application redirects to success_url = reverse_lazy('gym:gym:list') (e.g. /en/gym/list), which is permission-protected; therefore the browser may display a “Forbidden” page even though the global update already succeeded.
DB evidence (before/after)
Before submission:
default_gym_id= None
profiles_gym_null= 1
After a low-privileged user submitted the form setting default_gym to gym id 1:
default_gym_id= 1
profiles_gym_null= 0
Recommended fix
Ensure permission enforcement runs before the form dispatch.
Using the project mixin (order matters):
class GymConfigUpdateView(WgerPermissionMixin, WgerFormMixin, UpdateView):
permission_required = 'config.change_gymconfig'
login_required = True
Alternatively, use Django’s PermissionRequiredMixin (and LoginRequiredMixin) directly.
Conclusion
The view explicitly declares permission_required = 'config.change_gymconfig', which demonstrates developer intent that this action be restricted. The fact that it is not enforced constitutes improper access control regardless of perceived business impact.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wger"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40474"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T01:35:16Z",
"nvd_published_at": "2026-04-17T22:16:33Z",
"severity": "HIGH"
},
"details": "## Summary\n\nwger exposes a global configuration edit endpoint at `/config/gym-config/edit` implemented by `GymConfigUpdateView`. The view declares `permission_required = \u0027config.change_gymconfig\u0027` but does not enforce it because it inherits `WgerFormMixin` (ownership-only checks) instead of the project\u2019s permission-enforcing mixin (`WgerPermissionMixin`) .\n\nThe edited object is a singleton (`GymConfig(pk=1)`) and the model does not implement `get_owner_object()`, so `WgerFormMixin` skips ownership enforcement. As a result, a low-privileged authenticated user can modify installation-wide configuration and trigger server-side side effects in `GymConfig.save()`.\n\nThis is a vertical privilege escalation from a regular user to privileged global configuration control.\nThe application explicitly declares permission_required = \u0027config.change_gymconfig\u0027, demonstrating that the action is intended to be restricted; however, this requirement is never enforced at runtime.\n\n## Affected endpoint\n\nThe config URLs map as follows.\n\nFile: `wger/config/urls.py`\n\n```python\npatterns_gym_config = [\n path(\u0027edit\u0027, gym_config.GymConfigUpdateView.as_view(), name=\u0027edit\u0027),\n]\n\nurlpatterns = [\n path(\n \u0027gym-config/\u0027,\n include((patterns_gym_config, \u0027gym_config\u0027), namespace=\u0027gym_config\u0027),\n ),\n]\n```\n\nThis resolves to:\n\n`/config/gym-config/edit`\n\n## Root cause\n\n### The view declares a permission but does not enforce it\n\nFile: `wger/config/views/gym_config.py`\n\n```python\nclass GymConfigUpdateView(WgerFormMixin, UpdateView):\n model = GymConfig\n fields = (\u0027default_gym\u0027,)\n permission_required = \u0027config.change_gymconfig\u0027\n success_url = reverse_lazy(\u0027gym:gym:list\u0027)\n title = gettext_lazy(\u0027Edit\u0027)\n\n def get_object(self):\n return GymConfig.objects.get(pk=1)\n```\n\nThe permission string exists, but `WgerFormMixin` does not check `permission_required`.\n\n### The project\u2019s permission mixin exists but is not used\n\nFile: `wger/utils/generic_views.py`\n\n```python\nclass WgerPermissionMixin:\n permission_required = False\n login_required = False\n\n def dispatch(self, request, *args, **kwargs):\n if self.login_required or self.permission_required:\n if not request.user.is_authenticated:\n return HttpResponseRedirect(\n reverse_lazy(\u0027core:user:login\u0027) + f\u0027?next={request.path}\u0027\n )\n\n if self.permission_required:\n has_permission = False\n if isinstance(self.permission_required, tuple):\n for permission in self.permission_required:\n if request.user.has_perm(permission):\n has_permission = True\n elif request.user.has_perm(self.permission_required):\n has_permission = True\n\n if not has_permission:\n return HttpResponseForbidden(\u0027You are not allowed to access this object\u0027)\n\n return super(WgerPermissionMixin, self).dispatch(request, *args, **kwargs)\n```\n\n`GymConfigUpdateView` does not inherit this mixin, so none of the login/permission logic runs.\n\n### The mixin that *is* used performs only ownership checks, and `GymConfig` has no owner\n\nFile: `wger/utils/generic_views.py`\n\n```python\nclass WgerFormMixin(ModelFormMixin):\n def dispatch(self, request, *args, **kwargs):\n self.kwargs = kwargs\n self.request = request\n\n if self.owner_object:\n owner_object = self.owner_object[\u0027class\u0027].objects.get(pk=kwargs[self.owner_object[\u0027pk\u0027]])\n else:\n try:\n owner_object = self.get_object().get_owner_object()\n except AttributeError:\n owner_object = False\n\n if owner_object and owner_object.user != self.request.user:\n return HttpResponseForbidden(\u0027You are not allowed to access this object\u0027)\n\n return super(WgerFormMixin, self).dispatch(request, *args, **kwargs)\n```\n\nFile: `wger/config/models/gym_config.py`\n\n```python\nclass GymConfig(models.Model):\n default_gym = models.ForeignKey(\n Gym,\n verbose_name=_(\u0027Default gym\u0027),\n # ...\n null=True,\n blank=True,\n on_delete=models.CASCADE,\n )\n # No get_owner_object() method\n```\n\nBecause `GymConfig` does not implement `get_owner_object()`, `WgerFormMixin` catches `AttributeError` and sets `owner_object = False`, skipping any access restriction.\n\n## Security impact\n\nThis is not a cosmetic setting: `GymConfig.save()` performs installation-wide side effects.\n\nFile: `wger/config/models/gym_config.py`\n\n```python\ndef save(self, *args, **kwargs):\n if self.default_gym:\n UserProfile.objects.filter(gym=None).update(gym=self.default_gym)\n\n for profile in UserProfile.objects.filter(gym=self.default_gym):\n user = profile.user\n if not is_any_gym_admin(user):\n try:\n user.gymuserconfig\n except GymUserConfig.DoesNotExist:\n config = GymUserConfig()\n config.gym = self.default_gym\n config.user = user\n config.save()\n\n return super(GymConfig, self).save(*args, **kwargs)\n```\n\nOn deployments with multiple gyms, this allows a low-privileged user to tamper with tenant assignment defaults, affecting new registrations and bulk-updating existing users lacking a gym. This permits unauthorized modification of installation-wide state and bulk updates to other users\u2019 records, violating the intended administrative trust boundary.\n\n## Proof of concept (local verification)\n\nEnvironment: local docker compose stack, accessed via `http://127.0.0.1:8088/en/`.\n\n### Observed behavior\n\nAn unauthenticated user can reach the endpoint via GET; POST requires authentication and redirects to login.\nAn authenticated low-privileged user can submit the form and change the global singleton. After the save, the application redirects to `success_url = reverse_lazy(\u0027gym:gym:list\u0027)` (e.g. `/en/gym/list`), which is permission-protected; therefore the browser may display a \u201cForbidden\u201d page even though the global update already succeeded.\n\n### DB evidence (before/after)\n\nBefore submission:\n\n```bash\ndefault_gym_id= None\nprofiles_gym_null= 1\n```\n\nAfter a low-privileged user submitted the form setting `default_gym` to gym id `1`:\n\n```bash\ndefault_gym_id= 1\nprofiles_gym_null= 0\n```\n\n## Recommended fix\n\nEnsure permission enforcement runs before the form dispatch.\n\nUsing the project mixin (order matters):\n\n```python\nclass GymConfigUpdateView(WgerPermissionMixin, WgerFormMixin, UpdateView):\n permission_required = \u0027config.change_gymconfig\u0027\n login_required = True\n```\n\nAlternatively, use Django\u2019s `PermissionRequiredMixin` (and `LoginRequiredMixin`) directly.\n\n## Conclusion \n\nThe view explicitly declares permission_required = \u0027config.change_gymconfig\u0027, which demonstrates developer intent that this action be restricted. The fact that it is not enforced constitutes improper access control regardless of perceived business impact.\n\n\u003cimg width=\"1912\" height=\"578\" alt=\"Screenshot 2026-02-27 230752\" src=\"https://github.com/user-attachments/assets/c627b404-6d9c-4477-88bd-f867d0fa09d2\" /\u003e",
"id": "GHSA-xppv-4jrx-qf8m",
"modified": "2026-04-24T20:51:15Z",
"published": "2026-04-16T01:35:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40474"
},
{
"type": "WEB",
"url": "https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523f"
},
{
"type": "PACKAGE",
"url": "https://github.com/wger-project/wger"
},
{
"type": "WEB",
"url": "https://github.com/wger-project/wger/releases/tag/2.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "wger has Broken Access Control in Global Gym Configuration Update Endpoint"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.