CVE-2026-27839
published 2026-02-26CVE-2026-27839: wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via…
PriorityP425medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.26%
17.3th percentile
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wger-project | wger | <= 2.4 | — |
| wger | wger | <= 2.4 | — |
| wger | wger | 0 – 2.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
osv·2026-02-26
CVE-2026-27839 [MEDIUM] wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
## Summary
Three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK.
### Details
DRF detail actions do not automatically apply queryset filtering — the action must call `self.get_object()` to enforce object-level permissions. These three endpoints skip that and go directly to the ORM:
`wger/nutrition/api/views.py`:
```python
# line 301 — NutritionPlanViewSet
plan = NutritionPlan.objects.get(pk=pk) # VULNERABLE — no user check
# line 356 — MealViewSet
GHSA
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
ghsa·2026-02-26
CVE-2026-27839 [MEDIUM] CWE-639 wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
## Summary
Three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK.
### Details
DRF detail actions do not automatically apply queryset filtering — the action must call `self.get_object()` to enforce object-level permissions. These three endpoints skip that and go directly to the ORM:
`wger/nutrition/api/views.py`:
```python
# line 301 — NutritionPlanViewSet
plan = NutritionPlan.objects.get(pk=pk) # VULNERABLE — no user check
# line 356 — MealViewSet
No detection rules found.
No public exploits indexed.
2026-02-26
Published