CVE-2026-27835 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the wger open-source workout and fitness manager software. Specifically, in versions up to and including 2.4, the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet components improperly implement their get_queryset() methods by calling .all() on the underlying data model instead of filtering the data by the authenticated user. This coding oversight causes the API endpoints to return repetition configuration data for all users, not just the requesting user. Consequently, any registered user can enumerate and retrieve sensitive workout structure data belonging to other users, violating confidentiality principles. The vulnerability requires the attacker to be authenticated but does not require any user interaction beyond that. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates network exploitability with low attack complexity, requiring privileges (authenticated user), no user interaction, unchanged scope, and limited confidentiality impact. No known exploits are currently reported in the wild. The issue was addressed in a commit identified as 1fda5690b35706bb137850c8a084ec6a13317b64, which presumably modifies the get_queryset() methods to filter data by the authenticated user, restoring proper access control. This vulnerability highlights the importance of enforcing strict authorization checks in multi-user applications, especially those exposing user-specific data via APIs.

The primary impact of CVE-2026-27835 is unauthorized disclosure of user-specific workout configuration data within the wger fitness management platform. Although the exposed data may not be highly sensitive compared to financial or personal identity information, it still represents a breach of user privacy and confidentiality. Organizations using affected versions risk leaking user workout structures to other authenticated users, potentially undermining user trust and violating data protection policies or regulations. There is no reported impact on data integrity or system availability, limiting the scope of damage. However, in environments where workout data might be linked to health or personal information, this exposure could have reputational or compliance consequences. Since exploitation requires authentication, the threat is limited to insiders or registered users, reducing the risk from external unauthenticated attackers. The vulnerability could be leveraged in targeted attacks or reconnaissance within organizations or communities using wger. Overall, the impact is moderate but significant enough to warrant prompt remediation.

To mitigate CVE-2026-27835, organizations should upgrade wger to a version that includes the fix committed in 1fda5690b35706bb137850c8a084ec6a13317b64 or later. If immediate upgrade is not feasible, administrators should implement the following specific measures: 1) Review and modify the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet get_queryset() methods to explicitly filter data by the authenticated user's identifier, ensuring no data leakage occurs. 2) Conduct thorough code audits of all API endpoints handling user-specific data to verify proper authorization checks are in place. 3) Enforce strict role-based access controls and monitor authenticated user activities for unusual access patterns. 4) Consider implementing API rate limiting and logging to detect enumeration attempts. 5) Communicate transparently with users about the vulnerability and remediation steps to maintain trust. 6) Regularly update and patch the wger platform and dependencies to incorporate security fixes. These targeted actions go beyond generic advice by focusing on code-level authorization enforcement and operational monitoring tailored to this vulnerability.