{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27838", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.801Z", "datePublished": "2026-02-26T22:04:57.968Z", "dateUpdated": "2026-03-03T01:37:38.975Z"}, "containers": {"cna": {"title": "wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q"}, {"name": "https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbf", "tags": ["x_refsource_MISC"], "url": "https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbf"}], "affected": [{"vendor": "wger-project", "product": "wger", "versions": [{"version": "<= 2.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:04:57.968Z"}, "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` \u2014 no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue."}], "source": {"advisory": "GHSA-42cr-w2gr-m54q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T01:37:27.777120Z", "id": "CVE-2026-27838", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T01:37:38.975Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27838", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T01:37:27.777120Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T01:37:34.898Z"}}], "cna": {"title": "wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data", "source": {"advisory": "GHSA-42cr-w2gr-m54q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "wger-project", "product": "wger", "versions": [{"status": "affected", "version": "<= 2.4"}]}], "references": [{"url": "https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q", "name": "https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbf", "name": "https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbf", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` \u2014 no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:04:57.968Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27838", "state": "PUBLISHED", "dateUpdated": "2026-03-03T01:37:38.975Z", "dateReserved": "2026-02-24T02:32:39.801Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T22:04:57.968Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*", "matchCriteriaId": "069E9B5B-A461-47CB-90EA-9A0F99C25C77", "versionEndIncluding": "2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` \u2014 no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue."}, {"lang": "es", "value": "wger es un gestor de entrenamientos y fitness gratuito y de c\u00f3digo abierto. Cinco endpoints de acci\u00f3n de detalle de rutina verifican una cach\u00e9 antes de llamar a `self.get_object()`. En versiones hasta la 2.4 inclusive, las claves de cach\u00e9 se limitan solo por `pk` \u2014 no se incluye ning\u00fan ID de usuario. Cuando una v\u00edctima ha accedido previamente a su rutina a trav\u00e9s de la API, un atacante puede recuperar la respuesta en cach\u00e9 para el mismo PK sin ninguna verificaci\u00f3n de propiedad. El commit e964328784e2ee2830a1991d69fadbce86ac9fbf contiene un parche para el problema."}], "id": "CVE-2026-27838", "lastModified": "2026-03-03T00:50:54.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-26T23:16:34.963", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbf"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "wger", "vendor": "wger-project"}], "analysis": {"en": {"generated_at": "2026-04-16T15:59:10.287147+00:00", "value": {"mitigation_remediation": ["Upgrade to the patched version of wger or apply the commit e964328784e2ee2830a1991d69fadbce86ac9fbf that scopes cache keys by user ID.", "If an upgrade is not possible, modify the application\u2019s caching layer to include the authenticated user\u2019s identifier in the cache key for routine endpoints, or disable caching for these endpoints entirely.", "Implement monitoring of routine API requests to detect repeated accesses to the same routine identifier by different user principals, and alert administrators to potential unauthorized data access."], "summary": {"action": "Apply patch", "impact": "Unauthorized data disclosure"}, "threat_synthesis": {"affected_systems": "The flaw affects the wger open-source workout manager compiled under the vendor wger\u2011project:wger. Versions up to and including 2.4 are impacted, as the code prior to commit e964328784e2ee2830a1991d69fadbce86ac9fbf implements the incorrect cache key. Subsequent releases containing the patch have resolved the issue.", "description_and_impact": "The vulnerability allows an attacker to read another user's workout routines via the API when a routine has already been cached. The API checks a cache before calling get_object, but the cache keys are scoped only by the primary key, not the user ID. As a result, once a user accesses a routine, an attacker with knowledge of the primary key can retrieve the cached response without performing an ownership check. This results in unauthorized disclosure of personal fitness data, a breach of confidentiality for users of wger. The weakness maps to CWE\u2011639.", "risk_and_exploitability": "With a CVSS score of 3.1 the vulnerability is classified as moderate. The EPSS score is below 1\u202f%, indicating a very low likelihood of exploitation at present, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely exploitation path requires the attacker to know the routine\u2019s primary key and have access to the API, either by having been authenticated or by observing an authenticated request. If the API is protected, the attacker would need to observe or obtain a valid session; if not, unauthenticated users may still be able to retrieve cached routines. In either case, the missing user ID in the cache key allows the attacker to bypass ownership checks and retrieve confidential user data."}}}}, "created": "2026-02-27T09:03:59.171884+00:00", "updated": "2026-04-16T16:00:13.894804+00:00", "vendors": ["wger-project", "wger-project$PRODUCT$wger"]}