CVE-2026-43977
Received Received - Intake

Authenticated Information Disclosure in wger Workout Manager

Vulnerability report for CVE-2026-43977, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The vulnerability exists in RoutineViewSet (wger/manager/api/views.py). The view defines two custom actions /logs/ and /stats/ that are intended to return data for the requesting user's own training history within a routine. However, the underlying permission check (RoutinePermission.has_object_permission) grants read access to any authenticated user when the routine has is_template=True, regardless of ownership. When the /logs/ or /stats/ actions are invoked against a routine the attacker does not own, they return the owner's private workout history, not the attacker's. This issue has been fixed in version 2.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wger wger to 2.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects wger, a free workout manager. In versions before 2.6, any logged-in user can access another user's private workout notes, exercise history, and training stats by calling specific API endpoints on routines they don't own. The issue lies in the RoutineViewSet where permission checks fail to enforce ownership, allowing unauthorized access when routines are marked as templates.

Detection Guidance

Check if any user can access private workout data of others by calling /logs/ or /stats/ endpoints on routines they do not own. Verify if routines with is_template=True allow unauthorized read access to training history.

Impact Analysis

If you use wger before version 2.6, attackers with an account can view your private workout data, including sensitive exercise history and notes. This exposes personal fitness information that could be misused or lead to privacy violations.

Compliance Impact

This vulnerability likely violates GDPR and HIPAA by exposing personal health and fitness data without consent. GDPR requires strict protection of personal data, while HIPAA governs health information privacy. Unauthorized access to such data could result in legal penalties and reputational damage.

Mitigation Strategies

Upgrade wger to version 2.6 or later to apply the security fix. Ensure no unauthorized access has occurred by reviewing logs for suspicious /logs/ or /stats/ requests on routines with is_template=True.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43977. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart