ByteOS Network

CVE Vulnerability Details :

CVE-2026-27838

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-26 Feb, 2026 | 22:04

Updated At-26 Feb, 2026 | 22:04

▼CVE Numbering Authority (CNA)

wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue.

Affected Products

Vendor

wger-project

Product

wger

Versions

Affected

<= 2.4

Problem Types

Type	CWE ID	Description
CWE	CWE-639	CWE-639: Authorization Bypass Through User-Controlled Key

Type: CWE

CWE ID: CWE-639

Description: CWE-639: Authorization Bypass Through User-Controlled Key

Metrics

Version	Base score	Base severity	Vector
3.1	3.1	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Version: 3.1

Base score: 3.1

Base severity: LOW

Vector:

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Hyperlink	Resource
https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q	x_refsource_CONFIRM
https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbf	x_refsource_MISC

Hyperlink: https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q

Resource:

x_refsource_CONFIRM

Hyperlink: https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbf

Resource:

x_refsource_MISC

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References