{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-43978/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["wger (\u003c= 2.5)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","CVE-2026-43978"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eA privilege escalation vulnerability exists in wger versions 2.5 and earlier, identified as CVE-2026-43978. This flaw allows a gym trainer to escalate their session to a gym manager or general manager account by chaining two calls to the \u003ccode\u003etrainer-login\u003c/code\u003e endpoint. The vulnerability stems from an insufficient permission check in \u003ccode\u003ewger/core/views/user.py\u003c/code\u003e, where the \u003ccode\u003etrainer.identity\u003c/code\u003e session flag bypasses permission checks on subsequent calls to the trainer-login endpoint. This allows the trainer to escalate privileges without proper authorization. The issue was reported on May 14, 2026 and impacts instances of wger version 2.5 and prior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs in to the wger application as a gym trainer with limited privileges.\u003c/li\u003e\n\u003cli\u003eThe trainer initiates a legitimate switch to a lower-privileged user account using the \u003ccode\u003e/en/user/\u0026lt;user_id\u0026gt;/trainer-login\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eUpon successful switch, the application sets the \u003ccode\u003etrainer.identity\u003c/code\u003e flag in the user\u0026rsquo;s session, identifying the original trainer.\u003c/li\u003e\n\u003cli\u003eThe attacker, now operating under the context of the lower-privileged user, makes another call to \u003ccode\u003e/en/user/\u0026lt;manager_id\u0026gt;/trainer-login\u003c/code\u003e, this time targeting a gym manager account.\u003c/li\u003e\n\u003cli\u003eDue to the presence of the \u003ccode\u003etrainer.identity\u003c/code\u003e flag, the permission check at \u003ccode\u003ewger/core/views/user.py:169\u003c/code\u003e is bypassed, allowing the trainer-login to proceed without validating if the current user has \u003ccode\u003egym_trainer\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eBecause the user is no longer a trainer, the check on line 173 in \u003ccode\u003ewger/core/views/user.py\u003c/code\u003e is not reached, which would normally block escalation to \u003ccode\u003emanage_gym\u003c/code\u003e or \u003ccode\u003emanage_gyms\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s session is now elevated to that of the gym manager, granting them full administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can now access sensitive data, modify gym settings, and perform other actions as a gym manager.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-43978) allows a malicious gym trainer to gain unauthorized access to sensitive information and administrative functions within the wger application. This includes the ability to view member data, modify contracts, manage gym configurations, and access other trainers\u0026rsquo; and managers\u0026rsquo; personal information. The attacker can effectively take over the gym manager\u0026rsquo;s account, potentially impacting all gym operations and member data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided in the advisory to \u003ccode\u003ewger/core/views/user.py\u003c/code\u003e to fix the permission check logic (see the \u0026ldquo;How to fix\u0026rdquo; section in the advisory).\u003c/li\u003e\n\u003cli\u003eUpgrade wger to a version greater than 2.5 to remediate CVE-2026-43978.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect wger Trainer Login Privilege Escalation Attempt\u0026rdquo; to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the \u003ccode\u003e/en/user/\u0026lt;user_id\u0026gt;/trainer-login\u003c/code\u003e endpoint, which may indicate attempts to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:26:14Z","date_published":"2026-05-14T16:26:14Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wger-privesc/","summary":"A gym trainer in wger (\u003c= 2.5) can escalate privileges to a gym manager by chaining calls to the trainer-login endpoint due to a flawed permission check, as tracked by CVE-2026-43978.","title":"wger Trainer Login Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wger-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-43978","version":"https://jsonfeed.org/version/1.1"}