CVE-2026-27835 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the wger-project's wger application, a free and open-source workout and fitness manager. In versions up to and including 2.4, the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet API endpoints improperly implement their get_queryset() methods by calling .all() on the data model, which returns all users' repetition configuration data instead of filtering the data by the authenticated user's identity. This means that any authenticated user can enumerate and retrieve workout repetition configurations belonging to other users, violating data confidentiality. The vulnerability arises because the authorization logic is missing or insufficient, allowing unauthorized data access. The issue was identified and fixed in commit 1fda5690b35706bb137850c8a084ec6a13317b64, which presumably adds proper filtering based on the authenticated user. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates the vulnerability is remotely exploitable over the network, requires low attack complexity, needs privileges (registered user), no user interaction, and impacts confidentiality only with no integrity or availability impact. No known exploits have been reported in the wild as of the publication date (February 26, 2026).

The primary impact of this vulnerability is unauthorized disclosure of sensitive user data related to workout repetition configurations. Although this data may not be highly sensitive compared to financial or personal identity information, it still represents a privacy breach and could be leveraged for profiling or social engineering attacks. Organizations using wger versions up to 2.4 risk exposing user-specific workout data to any authenticated user, potentially damaging user trust and violating privacy regulations depending on jurisdiction. The vulnerability does not affect data integrity or availability, so it is less likely to cause operational disruption. However, in environments where fitness data is integrated with other personal health information, this exposure could have broader privacy implications. Since exploitation requires only a registered account, attackers can easily create accounts to access data, increasing the risk of mass data enumeration.

Organizations should immediately upgrade wger to a version that includes the fix from commit 1fda5690b35706bb137850c8a084ec6a13317b64 or later. If upgrading is not immediately possible, administrators should implement temporary access controls to restrict API endpoint access to only authorized users and ensure that get_queryset() methods filter data by the authenticated user. Conduct code reviews to verify that all API endpoints enforce proper authorization checks. Additionally, monitor logs for unusual access patterns indicative of data enumeration attempts. Educate users about the importance of strong authentication and consider implementing multi-factor authentication to reduce the risk of account abuse. Finally, review privacy policies and inform users if their data may have been exposed due to this vulnerability.