CVE-2026-27839

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e	Patch
https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-26 23:16

Updated : 2026-03-03 00:49

NVD link : CVE-2026-27839

Mitre link : CVE-2026-27839

CVE.ORG link : CVE-2026-27839

JSON object : View

Products Affected

wger

wger

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-27839", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-26T23:16:35.123", "references": [{"url": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` \u2014 a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue."}, {"lang": "es", "value": "wger es un gestor gratuito y de c\u00f3digo abierto de entrenamientos y estado f\u00edsico. En las versiones hasta la 2.4 inclusive, tres puntos finales de acci\u00f3n 'nutritional_values' recuperan objetos a trav\u00e9s de 'Model.objects.get(pk=pk)' \u2014 una llamada ORM directa que omite el queryset con \u00e1mbito de usuario. Cualquier usuario autenticado puede leer los datos del plan de nutrici\u00f3n privado de otro usuario, incluyendo la ingesta cal\u00f3rica y el desglose completo de macronutrientes, al proporcionar un PK arbitrario. El commit 29876a1954fe959e4b58ef070170e81703dab60e contiene una soluci\u00f3n para el problema."}], "lastModified": "2026-03-03T00:49:06.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "069E9B5B-A461-47CB-90EA-9A0F99C25C77", "versionEndIncluding": "2.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}