Access Control Flaw in wger Workout Manager by wger Project
CVE-2026-27835

4.3MEDIUM

Key Information:

Vendor: Wger-project
Status: Wger
Vendor: CVE Published:; 26 February 2026

🔔 Create Wger-project Vulnerability Alert

What is CVE-2026-27835?

The wger workout and fitness manager suffers from an access control vulnerability where the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet leak all users' repetition configuration data. This occurs because the get_queryset() method calls .all(), failing to filter data based on the authenticated user. Consequently, any registered user can access and enumerate other users' workout structures. A patch addressing this issue is included in commit 1fda5690b35706bb137850c8a084ec6a13317b64.

Affected Version(s)

wger <= 2.4

References

https://github.com/wger-project/wger/security/advisories/...

x_refsource_CONFIRM

https://github.com/wger-project/wger/commit/1fda5690b3570...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27835 Data

JSON