Improper Access Control Vulnerability in wger Workout Manager
CVE-2026-27839

4.3MEDIUM

Key Information:

Vendor: Wger-project
Status: Wger
Vendor: CVE Published:; 26 February 2026

🔔 Create Wger-project Vulnerability Alert

What is CVE-2026-27839?

A security flaw in the wger workout manager allows authenticated users to gain unauthorized access to other users' private nutrition plans. This occurs due to three nutritional_values action endpoints that utilize Model.objects.get(pk=pk)—an insecure ORM call that circumvents user-scoped query restrictions. As a result, any logged-in user can obtain sensitive information, including individual caloric intake and detailed macronutrient breakdowns, by simply providing a different user's primary key. The issue has been resolved in commit 29876a1954fe959e4b58ef070170e81703dab60e.

Affected Version(s)

wger <= 2.4

References

https://github.com/wger-project/wger/security/advisories/...

x_refsource_CONFIRM

https://github.com/wger-project/wger/commit/29876a1954fe9...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27839 Data

JSON