CVE-2026-27839 (GCVE-0-2026-27839)

Vulnerability from cvelistv5 – Published: 2026-02-26 22:07 – Updated: 2026-02-26 22:07
VLAI?
Title
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
Summary
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
wger-project wger Affected: <= 2.4
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "wger",
          "vendor": "wger-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` \u2014 a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user\u0027s private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T22:07:43.640Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86"
        },
        {
          "name": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e"
        }
      ],
      "source": {
        "advisory": "GHSA-g8gc-6c4h-jg86",
        "discovery": "UNKNOWN"
      },
      "title": "wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27839",
    "datePublished": "2026-02-26T22:07:43.640Z",
    "dateReserved": "2026-02-24T02:32:39.801Z",
    "dateUpdated": "2026-02-26T22:07:43.640Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27839\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-26T23:16:35.123\",\"lastModified\":\"2026-02-27T14:06:37.987\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` \u2014 a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user\u0027s private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.\"},{\"lang\":\"es\",\"value\":\"wger es un gestor gratuito y de c\u00f3digo abierto de entrenamientos y estado f\u00edsico. En las versiones hasta la 2.4 inclusive, tres puntos finales de acci\u00f3n \u0027nutritional_values\u0027 recuperan objetos a trav\u00e9s de \u0027Model.objects.get(pk=pk)\u0027 \u2014 una llamada ORM directa que omite el queryset con \u00e1mbito de usuario. Cualquier usuario autenticado puede leer los datos del plan de nutrici\u00f3n privado de otro usuario, incluyendo la ingesta cal\u00f3rica y el desglose completo de macronutrientes, al proporcionar un PK arbitrario. El commit 29876a1954fe959e4b58ef070170e81703dab60e contiene una soluci\u00f3n para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.