CVE-2026-27838
published 2026-02-26CVE-2026-27838: wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up…
PriorityP415low3.5CVSS 3.1
AVNACLPRLUIRSUCLINAN
EPSS
0.24%
15.6th percentile
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wger-project | wger | <= 2.4 | — |
| wger | wger | <= 2.4 | — |
| wger | wger | 0 – 2.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
osv·2026-02-26
CVE-2026-27838 [LOW] wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
### Summary
Five routine detail action endpoints check a cache before calling `self.get_object()`. Cache keys are scoped only by `pk` — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check.
### Details
`wger/manager/api/views.py` — five actions follow this pattern (lines 134–201):
```python
@action(detail=True)
def date_sequence_display_mode(self, request, pk=None):
cache_key = make_routine_api_date_sequence_display_cache_key(pk)
cached = cache.get(cache_key)
if cached:
return Response(cached) # returned WITHOUT calling self.get_object()
# only reaches ownership check on cache mi
GHSA
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
ghsa·2026-02-26
CVE-2026-27838 [LOW] CWE-639 wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
### Summary
Five routine detail action endpoints check a cache before calling `self.get_object()`. Cache keys are scoped only by `pk` — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check.
### Details
`wger/manager/api/views.py` — five actions follow this pattern (lines 134–201):
```python
@action(detail=True)
def date_sequence_display_mode(self, request, pk=None):
cache_key = make_routine_api_date_sequence_display_cache_key(pk)
cached = cache.get(cache_key)
if cached:
return Response(cached) # returned WITHOUT calling self.get_object()
# only reaches ownership check on cache mi
No detection rules found.
No public exploits indexed.
2026-02-26
Published