CVE-2026-27835 (GCVE-0-2026-27835)

Vulnerability from cvelistv5 – Published: 2026-02-26 22:00 – Updated: 2026-02-26 22:00
VLAI?
Title
wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
Summary
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue.
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
wger-project wger Affected: <= 2.4
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "wger",
          "vendor": "wger-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users\u0027 repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user\u0027s workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T22:00:23.768Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm"
        },
        {
          "name": "https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64"
        }
      ],
      "source": {
        "advisory": "GHSA-xf68-8hjw-7mpm",
        "discovery": "UNKNOWN"
      },
      "title": "wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users\u0027 workout data"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27835",
    "datePublished": "2026-02-26T22:00:23.768Z",
    "dateReserved": "2026-02-24T02:32:39.800Z",
    "dateUpdated": "2026-02-26T22:00:23.768Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27835\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-26T22:20:49.333\",\"lastModified\":\"2026-02-27T14:06:37.987\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users\u0027 repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user\u0027s workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue.\"},{\"lang\":\"es\",\"value\":\"wger es un gestor de entrenamientos y fitness gratuito y de c\u00f3digo abierto. En versiones hasta la 2.4 inclusive, \u0027RepetitionsConfigViewSet\u0027 y \u0027MaxRepetitionsConfigViewSet\u0027 devuelven los datos de configuraci\u00f3n de repeticiones de todos los usuarios porque su \u0027get_queryset()\u0027 llama a \u0027.all()\u0027 en lugar de filtrar por el usuario autenticado. Cualquier usuario registrado puede enumerar la estructura de entrenamiento de cualquier otro usuario. El commit 1fda5690b35706bb137850c8a084ec6a13317b64 contiene una soluci\u00f3n para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.