GHSA-mw8f-w6p8-xrf4: wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None
Summary
Wger, a fitness tracking application, has a security flaw where gym staff members with `gym.manage_gym` permission but no assigned gym (gym = None) can delete, deactivate, or reactivate any other users who also have no assigned gym. This happens because the authorization check uses a comparison that treats two `None` values as equal, bypassing the intended access control. Three views in the application were not fixed when this bug was patched elsewhere.
Solution / Mitigation
The maintainer's suggested patch is to replace the vulnerable `userprofile.gym_id !=` comparisons in `wger/core/views/user.py` (affecting UserDeactivateView at line 405, UserActivateView at line 442, and the delete view at line 131) with the `is_same_gym()` helper function that explicitly excludes `None` comparisons (`gym_a is not None and gym_a == gym_b`). This helper was already successfully applied to views in `wger/gym/views/{admin_notes,document,contract,gym}.py` but must also be applied to the three unpatched views in `wger/core/views/user.py`.
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-mw8f-w6p8-xrf4
First tracked: May 20, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%