{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27835", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.800Z", "datePublished": "2026-02-26T22:00:23.768Z", "dateUpdated": "2026-03-03T01:38:18.118Z"}, "containers": {"cna": {"title": "wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm"}, {"name": "https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64", "tags": ["x_refsource_MISC"], "url": "https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64"}], "affected": [{"vendor": "wger-project", "product": "wger", "versions": [{"version": "<= 2.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:00:23.768Z"}, "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue."}], "source": {"advisory": "GHSA-xf68-8hjw-7mpm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T01:38:05.962535Z", "id": "CVE-2026-27835", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T01:38:18.118Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27835", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T01:38:05.962535Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T01:38:13.735Z"}}], "cna": {"title": "wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data", "source": {"advisory": "GHSA-xf68-8hjw-7mpm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "wger-project", "product": "wger", "versions": [{"status": "affected", "version": "<= 2.4"}]}], "references": [{"url": "https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm", "name": "https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64", "name": "https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:00:23.768Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27835", "state": "PUBLISHED", "dateUpdated": "2026-03-03T01:38:18.118Z", "dateReserved": "2026-02-24T02:32:39.800Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T22:00:23.768Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*", "matchCriteriaId": "069E9B5B-A461-47CB-90EA-9A0F99C25C77", "versionEndIncluding": "2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue."}, {"lang": "es", "value": "wger es un gestor de entrenamientos y fitness gratuito y de c\u00f3digo abierto. En versiones hasta la 2.4 inclusive, 'RepetitionsConfigViewSet' y 'MaxRepetitionsConfigViewSet' devuelven los datos de configuraci\u00f3n de repeticiones de todos los usuarios porque su 'get_queryset()' llama a '.all()' en lugar de filtrar por el usuario autenticado. Cualquier usuario registrado puede enumerar la estructura de entrenamiento de cualquier otro usuario. El commit 1fda5690b35706bb137850c8a084ec6a13317b64 contiene una soluci\u00f3n para el problema."}], "id": "CVE-2026-27835", "lastModified": "2026-03-03T20:01:10.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T22:20:49.333", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "wger", "vendor": "wger-project"}], "analysis": {"en": {"generated_at": "2026-04-17T14:14:21.806489+00:00", "value": {"mitigation_remediation": ["Upgrade wger to the latest release that includes commit 1fda5690b35706bb137850c8a084ec6a13317b64, which applies the necessary filtering to the querysets.", "Configure application logic to verify that the authenticated user\u2019s ID matches the owner of each repetition configuration before sending it in responses, ensuring cross-user data cannot be retrieved even if the database query is misconfigured.", "Temporarily restrict or rate\u2011limit anonymous API access until the application is fully secured to reduce the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Information disclosure via an IDOR that allows an authenticated user to view other users' workout configuration data"}, "threat_synthesis": {"affected_systems": "The affected product is the open\u2011source wger workout manager, versions up to and including 2.4. Any installation of the 2.4 branch or prior versions that had not been patched with commit 1fda5690b35706bb137850c8a084ec6a13317b64 is susceptible.", "description_and_impact": "The vulnerability is an Insecure Direct Object Reference in two API endpoints that manage repetition configuration data. The viewsets inadvertently return all users\u2019 data instead of filtering to the authenticated account, enabling privacy violations with no code execution or privilege escalation. This issue is classified under CWE\u2011639.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a medium confidentiality impact, while an EPSS score of less than 1\u202f% indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs a legitimate user account and can trigger the flaw by making a normal API request to the vulnerable endpoints; no special conditions are required."}}}}, "created": "2026-02-27T09:04:00.912495+00:00", "updated": "2026-04-17T14:15:21.827675+00:00", "vendors": ["wger-project", "wger-project$PRODUCT$wger"]}