GHSA-MW8F-W6P8-XRF4: GHSA-MW8F-W6P8-XRF4: Cross-Tenant Account Deletion and Authorization Bypass in wger via Flawed Null Comparison

GHSA-MW8F-W6P8-XRF4: Cross-Tenant Account Deletion and Authorization Bypass in wger via Flawed Null Comparison

Vulnerability ID: GHSA-MW8F-W6P8-XRF4
CVSS Score: 9.9
Published: 2026-05-20

GHSA-MW8F-W6P8-XRF4 is a critical authorization bypass vulnerability in the wger fitness manager. The flaw exists due to an incomplete patch for CVE-2026-43948, leaving specific user management views vulnerable to flawed null value comparisons. This enables attackers with restricted permissions to permanently delete or deactivate arbitrary user accounts across the global unassigned user pool.

TL;DR

An incomplete patch in wger allows an attacker with limited gym management permissions to bypass tenant isolation and delete or deactivate unaffiliated user accounts by exploiting a Python null comparison logic error.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-863
• Attack Vector: Network
• CVSS Score: 9.9
• Impact: Arbitrary cross-tenant account deletion and state manipulation
• Exploit Status: Proof of Concept available
• KEV Status: Not Listed

Affected Systems

• wger (PyPI package <= 2.5)
• wger Docker (wger/server:latest as of May 20, 2026)
• wger: <= 2.5

Mitigation Strategies

• Apply the vendor patch modifying raw gym_id inequality comparisons to use the is_same_gym() helper.
• Audit all users with gym.manage_gym or gym.gym_trainer permissions and ensure they are assigned a valid gym ID.
• Implement role assignment validation to prevent granting tenant management permissions to unaffiliated user profiles.

Remediation Steps:

1. Identify the deployed version of the wger application in the environment.
2. If running via Docker, pull the latest updated image hash containing the corrected view logic.
3. If running a local PyPI installation, manually apply the diff to wger/core/views/user.py replacing 'edit_user.userprofile.gym_id != request.user.userprofile.gym_id' with 'not is_same_gym(request.user, edit_user)'.
4. Review the application database for any existing users with 'gym.manage_gym' permissions whose 'gym_id' is set to NULL.
5. Assign a valid, isolated gym entity to the identified anomalous administrative accounts or revoke their privileges.

References

• NVD - CVE-2026-43948
• GitHub Advisory Database - GHSA-mhc8-p3jx-84mm
• GitHub Advisory Database - GHSA-MW8F-W6P8-XRF4
• OSV Database - GHSA-mw8f-w6p8-xrf4
• Wger Repository

---

Read the full report for GHSA-MW8F-W6P8-XRF4 on our website for more details including interactive diagrams and full exploit analysis.