Moderate severityNVD Advisory· Published Feb 26, 2026· Updated Mar 3, 2026

wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data

CVE-2026-27835

Description

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their get_queryset() calls .all() instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

wger up to 2.4 leaks all users' repetition configs via IDOR in API endpoints due to missing user filter.

Vulnerability

In wger versions up to and including 2.4, the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet API views fail to filter query results by the authenticated user. Their get_queryset() methods call .all() instead of applying a user-based filter, returning all users' repetition configuration data [1]. This contrasts with sibling viewsets like WeightConfigViewSet, which correctly filter by user [3].

Exploitation

Any registered user can exploit this by sending GET requests to /api/v2/repetitions-config/ or /api/v2/max-repetitions-config/. Since registration is open by default and user IDs are sequential, an attacker can easily enumerate the entire set of repetition configs across all users [3]. No special privileges or network position are required beyond being an authenticated user.

Impact

An attacker gains unauthorized access to every user's workout structure, including slot entry IDs, iteration values, operations, step counts, repeat flags, and requirement JSON objects. This constitutes a broken object-level authorization (BOLA/IDOR) vulnerability, categorized under OWASP API1 [3]. The exposed data can reveal private workout routines, potentially leading to further privacy violations.

Mitigation

The vulnerability is fixed in commit 1fda5690b35706bb137850c8a084ec6a13317b64, which adds the same user filter used by other config viewsets [4]. Users should update to the latest version or apply the patch. No workaround is documented; restricting registration may reduce attack surface but does not fully mitigate the issue [1].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
wgerPyPI	<= 2.1	—

Affected products

Wger/Wgerllm-fuzzy
Range: <=2.4
wger-project/wgerv5
Range: <= 2.4

Patches

1fda5690b357

Properly check that the user owns the measurement category while saving

https://github.com/wger-project/wgerRoland GeiderFeb 26, 2026via ghsa

commit

2 files changed · +20 −4

wger/manager/api/views.py+1 −1 modified

@@ -280,7 +280,7 @@ def get_owner_objects(self):
         """
         Return objects to check for ownership permission
         """
-        return [(Routine, 'workout')]
+        return [(Routine, 'routine')]
 
 
 class WorkoutLogViewSet(WgerOwnerObjectModelViewSet):

wger/measurements/api/views.py+19 −3 modified

@@ -18,8 +18,11 @@
 # Standard Library
 import logging
 
+# Django
+from django.contrib.auth.models import User
+from django.core.exceptions import PermissionDenied
+
 # Third Party
-from rest_framework import viewsets
 from rest_framework.permissions import IsAuthenticated
 
 # wger
@@ -32,12 +35,13 @@
     Category,
     Measurement,
 )
+from wger.utils.viewsets import WgerOwnerObjectModelViewSet
 
 
 logger = logging.getLogger(__name__)
 
 
-class CategoryViewSet(viewsets.ModelViewSet):
+class CategoryViewSet(WgerOwnerObjectModelViewSet):
     """
     API endpoint for measurement units
     """
@@ -64,8 +68,14 @@ def perform_create(self, serializer):
         """
         serializer.save(user=self.request.user)
 
+    def get_owner_objects(self):
+        """
+        Return objects to check for ownership permission
+        """
+        return [(User, 'user')]
+
 
-class MeasurementViewSet(viewsets.ModelViewSet):
+class MeasurementViewSet(WgerOwnerObjectModelViewSet):
     """
     API endpoint for measurements
     """
@@ -76,6 +86,12 @@ class MeasurementViewSet(viewsets.ModelViewSet):
     ordering_fields = '__all__'
     filterset_class = MeasurementEntryFilterSet
 
+    def get_owner_objects(self):
+        """
+        Return objects to check for ownership permission
+        """
+        return [(Category, 'category')]
+
     def get_queryset(self):
         """
         Only allow access to appropriate objects

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-xf68-8hjw-7mpmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-27835ghsaADVISORY
github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64ghsax_refsource_MISCWEB
github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpmghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000