Cache Exposure in wger Workout and Fitness Manager
CVE-2026-27838

3.1LOW

Key Information:

Vendor: Wger-project
Status: Wger
Vendor: CVE Published:; 26 February 2026

🔔 Create Wger-project Vulnerability Alert

What is CVE-2026-27838?

The wger Workout and Fitness Manager, an open-source application for managing workouts, has a vulnerability that allows attackers to exploit cached responses. Specifically, five routine detail action endpoints fail to include user ID in the cache key, which is only scoped by the primary key (pk). This means that if a user has previously accessed their routine via the API, an attacker can retrieve the cached response for the same pk. The lack of ownership checks may lead to unauthorized access to sensitive routine information. A patch for this issue has been implemented in commit e964328784e2ee2830a1991d69fadbce86ac9fbf.

Affected Version(s)

wger <= 2.4

References

https://github.com/wger-project/wger/security/advisories/...

x_refsource_CONFIRM

https://github.com/wger-project/wger/commit/e964328784e2e...

x_refsource_MISC

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27838 Data

JSON