Vulnerability Description
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wger | Wger | <= 2.4 |
Related Weaknesses (CWE)
References
- https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86acPatch
- https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54qExploitVendor Advisory
FAQ
What is CVE-2026-27838?
CVE-2026-27838 is a vulnerability with a CVSS score of 3.1 (LOW). wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scope...
How severe is CVE-2026-27838?
CVE-2026-27838 has been rated LOW with a CVSS base score of 3.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27838?
Check the references section above for vendor advisories and patch information. Affected products include: Wger Wger.