{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27839", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.801Z", "datePublished": "2026-02-26T22:07:43.640Z", "dateUpdated": "2026-03-03T01:36:50.202Z"}, "containers": {"cna": {"title": "wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86"}, {"name": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e", "tags": ["x_refsource_MISC"], "url": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e"}], "affected": [{"vendor": "wger-project", "product": "wger", "versions": [{"version": "<= 2.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:07:43.640Z"}, "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` \u2014 a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue."}], "source": {"advisory": "GHSA-g8gc-6c4h-jg86", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T01:36:36.210139Z", "id": "CVE-2026-27839", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T01:36:50.202Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27839", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T01:36:36.210139Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T01:36:45.710Z"}}], "cna": {"title": "wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup", "source": {"advisory": "GHSA-g8gc-6c4h-jg86", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "wger-project", "product": "wger", "versions": [{"status": "affected", "version": "<= 2.4"}]}], "references": [{"url": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86", "name": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e", "name": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` \u2014 a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:07:43.640Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27839", "state": "PUBLISHED", "dateUpdated": "2026-03-03T01:36:50.202Z", "dateReserved": "2026-02-24T02:32:39.801Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T22:07:43.640Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*", "matchCriteriaId": "069E9B5B-A461-47CB-90EA-9A0F99C25C77", "versionEndIncluding": "2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` \u2014 a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue."}, {"lang": "es", "value": "wger es un gestor gratuito y de c\u00f3digo abierto de entrenamientos y estado f\u00edsico. En las versiones hasta la 2.4 inclusive, tres puntos finales de acci\u00f3n 'nutritional_values' recuperan objetos a trav\u00e9s de 'Model.objects.get(pk=pk)' \u2014 una llamada ORM directa que omite el queryset con \u00e1mbito de usuario. Cualquier usuario autenticado puede leer los datos del plan de nutrici\u00f3n privado de otro usuario, incluyendo la ingesta cal\u00f3rica y el desglose completo de macronutrientes, al proporcionar un PK arbitrario. El commit 29876a1954fe959e4b58ef070170e81703dab60e contiene una soluci\u00f3n para el problema."}], "id": "CVE-2026-27839", "lastModified": "2026-03-03T00:49:06.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T23:16:35.123", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "wger", "vendor": "wger-project"}], "analysis": {"en": {"generated_at": "2026-04-16T15:58:50.953802+00:00", "value": {"mitigation_remediation": ["Upgrade wger to a version that includes the fix from commit 29876a1954fe959e4b58ef070170e81703dab60e (any release newer than 2.4).", "If an upgrade is not immediately possible, modify the application to enforce ownership checks on nutritional_values endpoints or replace the direct ORM calls with a scoped queryset that validates the requestor\u2019s permissions.", "Validate and monitor API usage for anomalous access patterns, particularly requests that include uncommon primary keys or frequent cross\u2011user data retrieval."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure of Personal Dietary Data"}, "threat_synthesis": {"affected_systems": "The issue affects the wger project\u2019s wger application in all releases up to and including version 2.4. The vulnerable code resides in the nutritional_values endpoints. The code was fixed in commit 29876a1954fe959e4b58ef070170e81703dab60e, which should be applied to releases beyond 2.4.", "description_and_impact": "The vulnerability is an IDOR (CWE\u2011639) in the nutritional_values endpoints of the wger open\u2011source fitness manager. Three API routes use a direct ORM lookup via Model.objects.get(pk=pk), ignoring the user\u2011scoped queryset. An authenticated user can supply any primary key and read another user\u2019s private nutrition plan, including caloric intake and macro breakdown, thereby disclosing personally sensitive health data. The flaw does not provide privilege escalation, denial of service, or remote code execution; its main consequence is confidentiality loss.", "risk_and_exploitability": "The CVSS base score is 4.3, indicating a moderate severity, while the EPSS score is less than 1%, suggesting a low likelihood of exploitation at present. The flaw is not listed in KEV, implying no known active use in the wild. Exploitation requires an authenticated user who can send requests with arbitrary primary keys to the endpoints; no special privileges beyond authentication are needed. An attacker could extract sensitive personal health information, potentially impacting privacy and personal security."}}}}, "created": "2026-02-27T09:03:58.306974+00:00", "updated": "2026-04-16T16:00:13.890787+00:00", "vendors": ["wger-project", "wger-project$PRODUCT$wger"]}