CVE-2026-27835
Received Received - Intake
Insecure Direct Object Reference in wger Repetition Config API

Publication date: 2026-02-26

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27835
EUVD
EUVD-2026-8898
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wger wger to 2.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in wger, a free, open-source workout and fitness manager, in versions up to and including 2.4. Specifically, the `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` components return all users' repetition configuration data because their `get_queryset()` methods call `.all()` instead of filtering the data by the authenticated user. This means that any registered user can access and enumerate the workout structure data of every other user.

Impact Analysis

This vulnerability allows any registered user to view the repetition configuration data of all other users. As a result, sensitive or private workout structure information can be exposed without authorization. While it does not allow modification or deletion, the unauthorized disclosure of user-specific workout data could lead to privacy concerns or misuse of personal fitness information.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update wger to a version that includes the fix from commit 1fda5690b35706bb137850c8a084ec6a13317b64 or later.

The issue is caused by the `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` returning all users' repetition config data without filtering by the authenticated user. Applying the fix ensures that only the authenticated user's data is returned.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27835. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart