CVE-2026-27839
MEDIUM
GHSA-g8gc-6c4h-jg86
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Description
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` - a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.
Analysis
Wger versions up to 2.4 allow authenticated users to access other users' private nutrition plans through insecure direct object references in the nutritional_values endpoints, exposing sensitive dietary data including caloric intake and macronutrient breakdowns. The vulnerability stems from bypassing user-scoped querysets via direct primary key lookups, and public exploit code is available.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running versions and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today