CVE-2026-27838
Received Received - Intake
Insecure Cache Key Allows Unauthorized Data Access in wger

Publication date: 2026-02-26

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` β€” no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27838
EUVD
EUVD-2026-8906
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wger wger to 2.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in wger, an open-source workout and fitness manager. In versions up to and including 2.4, five routine detail action endpoints use a cache that is keyed only by the primary key (pk) without including the user ID. Because of this, when a user accesses their routine via the API, the cached response for that routine is stored without verifying ownership. An attacker can exploit this by retrieving cached responses for the same pk, gaining access to another user's routine data without proper authorization.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of user-specific workout routine data. An attacker with knowledge of a valid routine primary key can retrieve cached data belonging to other users without needing proper permissions. This compromises user privacy and could expose sensitive fitness information.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update wger to a version that includes the patch from commit e964328784e2ee2830a1991d69fadbce86ac9fbf or later.

This patch fixes the issue by including user ID in the cache key scope, preventing attackers from retrieving cached responses without ownership checks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27838. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart