CVE-2026-27839 in wger
Summary
by MITRE • 02/27/2026
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2026-27839 affects wger, a free and open-source workout and fitness management platform, specifically in versions up to and including 2.4. This security flaw stems from improper access control implementation within the application's backend logic, creating a critical authorization bypass that allows authenticated users to access sensitive data belonging to other users. The issue manifests through three specific endpoints that handle nutritional values, where the application employs raw Object Relational Mapping (ORM) calls without proper user context validation.
The technical implementation of this vulnerability involves three `nutritional_values` action endpoints that utilize `Model.objects.get(pk=pk)` to retrieve data objects. This approach directly accesses database records by primary key without incorporating user-scoped querysets that would normally restrict access to only the authenticated user's own data. The raw ORM call bypasses the application's intended access control mechanisms, effectively allowing any authenticated user to retrieve private nutrition plan information simply by providing an arbitrary primary key value. This represents a fundamental failure in the principle of least privilege and demonstrates a classic authorization bypass vulnerability.
The operational impact of this vulnerability extends beyond simple data exposure, as it compromises the privacy and confidentiality of user fitness information. Attackers can access detailed caloric intake data, comprehensive macro breakdowns, and other sensitive nutritional information belonging to other users. This data could potentially be used for identity theft, social engineering attacks, or other malicious activities that exploit personal health information. The vulnerability affects all authenticated users of the platform, making it particularly concerning for a fitness application that handles sensitive personal health data. From an attacker's perspective, this represents a low-effort, high-impact method of data exfiltration that requires no specialized tools or complex exploitation techniques.
The fix implemented in commit 29876a1954fe959e4b58ef070170e81703dab60e addresses this vulnerability by properly scoping the database queries to ensure that users can only access their own data. This remediation aligns with security best practices and follows the principle of least privilege by implementing proper authorization checks before data retrieval. The solution likely involves modifying the ORM queries to include user context filtering or implementing proper access control middleware that validates user ownership before data access. This vulnerability maps to CWE-285 (Improper Authorization) and could be categorized under ATT&CK technique T1078 (Valid Accounts) as it exploits legitimate authenticated user access to gain unauthorized data access. Organizations using affected versions of wger should immediately implement the patch and conduct thorough security assessments to ensure no unauthorized access has occurred. The incident highlights the critical importance of proper access control implementation in web applications, particularly those handling sensitive personal information, and serves as a reminder that even seemingly simple ORM operations can create significant security vulnerabilities when not properly scoped to user contexts.