CVE-2026-27839 PUBLISHED

wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup

Assigner: GitHub_M
Reserved: 24.02.2026 Published: 26.02.2026 Updated: 26.02.2026

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three nutritional_values action endpoints fetch objects via Model.objects.get(pk=pk) — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Product Status

Vendor wger-project
Product wger
Versions
  • Version <= 2.4 is affected

References

Problem Types

  • CWE-639: Authorization Bypass Through User-Controlled Key CWE