Description
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.
Published: 2026-02-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure of Personal Dietary Data
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an IDOR (CWE‑639) in the nutritional_values endpoints of the wger open‑source fitness manager. Three API routes use a direct ORM lookup via Model.objects.get(pk=pk), ignoring the user‑scoped queryset. An authenticated user can supply any primary key and read another user’s private nutrition plan, including caloric intake and macro breakdown, thereby disclosing personally sensitive health data. The flaw does not provide privilege escalation, denial of service, or remote code execution; its main consequence is confidentiality loss.

Affected Systems

The issue affects the wger project’s wger application in all releases up to and including version 2.4. The vulnerable code resides in the nutritional_values endpoints. The code was fixed in commit 29876a1954fe959e4b58ef070170e81703dab60e, which should be applied to releases beyond 2.4.

Risk and Exploitability

The CVSS base score is 4.3, indicating a moderate severity, while the EPSS score is less than 1%, suggesting a low likelihood of exploitation at present. The flaw is not listed in KEV, implying no known active use in the wild. Exploitation requires an authenticated user who can send requests with arbitrary primary keys to the endpoints; no special privileges beyond authentication are needed. An attacker could extract sensitive personal health information, potentially impacting privacy and personal security.

Generated by OpenCVE AI on April 16, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wger to a version that includes the fix from commit 29876a1954fe959e4b58ef070170e81703dab60e (any release newer than 2.4).
  • If an upgrade is not immediately possible, modify the application to enforce ownership checks on nutritional_values endpoints or replace the direct ORM calls with a scoped queryset that validates the requestor’s permissions.
  • Validate and monitor API usage for anomalous access patterns, particularly requests that include uncommon primary keys or frequent cross‑user data retrieval.

Generated by OpenCVE AI on April 16, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g8gc-6c4h-jg86 wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
History

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Wger
Wger wger
CPEs cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*
Vendors & Products Wger
Wger wger

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wger-project
Wger-project wger
Vendors & Products Wger-project
Wger-project wger

Thu, 26 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.
Title wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wger Wger
Wger-project Wger
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T01:36:50.202Z

Reserved: 2026-02-24T02:32:39.801Z

Link: CVE-2026-27839

cve-icon Vulnrichment

Updated: 2026-03-03T01:36:45.710Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:35.123

Modified: 2026-03-03T00:49:06.300

Link: CVE-2026-27839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses