VYPR
Low severityNVD Advisory· Published Feb 26, 2026· Updated Mar 3, 2026

wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

CVE-2026-27838

Description

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.get_object(). In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
wgerPyPI
<= 2.1

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.