ByteOS Network

CVE Vulnerability Details :

CVE-2026-27835

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-26 Feb, 2026 | 22:00

Updated At-26 Feb, 2026 | 22:00

▼CVE Numbering Authority (CNA)

wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue.

Affected Products

Vendor

wger-project

Product

wger

Versions

Affected

<= 2.4

Problem Types

Type	CWE ID	Description
CWE	CWE-639	CWE-639: Authorization Bypass Through User-Controlled Key

Type: CWE

CWE ID: CWE-639

Description: CWE-639: Authorization Bypass Through User-Controlled Key

Metrics

Version	Base score	Base severity	Vector
3.1	4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Version: 3.1

Base score: 4.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Hyperlink	Resource
https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm	x_refsource_CONFIRM
https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64	x_refsource_MISC

Hyperlink: https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm

Resource:

x_refsource_CONFIRM

Hyperlink: https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64

Resource:

x_refsource_MISC

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References