CVE-2026-43977 PUBLISHED

wger IDOR: Authenticated Users Can Read Others' Private Workout Session Data via Template Routine API

Assigner: GitHub_M
Reserved: 04.05.2026 Published: 16.07.2026 Updated: 17.07.2026

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The vulnerability exists in RoutineViewSet (wger/manager/api/views.py). The view defines two custom actions /logs/ and /stats/ that are intended to return data for the requesting user's own training history within a routine. However, the underlying permission check (RoutinePermission.has_object_permission) grants read access to any authenticated user when the routine has is_template=True, regardless of ownership. When the /logs/ or /stats/ actions are invoked against a routine the attacker does not own, they return the owner's private workout history, not the attacker's. This issue has been fixed in version 2.6.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Product Status

Vendor wger-project
Product wger
Versions
  • Version < 2.6 is affected

References

Problem Types

  • CWE-639: Authorization Bypass Through User-Controlled Key CWE
  • CWE-863: Incorrect Authorization CWE