Low severityNVD Advisory· Published Feb 26, 2026· Updated Mar 3, 2026
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
CVE-2026-27838
Description
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.get_object(). In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wgerPyPI | <= 2.1 | — |
Affected products
2- Range: <= 2.4
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-42cr-w2gr-m54qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27838ghsaADVISORY
- github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbfghsax_refsource_MISCWEB
- github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.