The vulnerability CVE-2026-27838 affects wger, a free and open-source workout and fitness management application. In versions up to and including 2.4, five routine detail action API endpoints implement caching to improve performance. However, the cache keys are constructed solely based on the primary key (pk) of the routine, without incorporating the user ID or ownership information. This design flaw means that when a user accesses their routine, the response is cached under a key that is not user-specific. An attacker who knows or guesses the pk of another user's routine can retrieve the cached response from the API without any authorization checks, effectively bypassing access controls. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The patch referenced (commit e964328784e2ee2830a1991d69fadbce86ac9fbf) fixes the issue by including user identifiers in the cache key, ensuring that cached data is scoped per user and preventing unauthorized access. The CVSS v3.1 base score is 3.1, reflecting low severity due to limited impact (confidentiality only), the need for low privileges, and high attack complexity. There are no known exploits in the wild at this time.

This vulnerability allows unauthorized users to access cached routine details of other users without authentication or user interaction, leading to a breach of confidentiality. While it does not affect data integrity or availability, the exposure of personal fitness routines could violate user privacy and potentially expose sensitive health-related information. For organizations or communities relying on wger for fitness management, this could undermine user trust and compliance with data protection regulations such as GDPR. The impact is limited to information disclosure and requires the attacker to know or guess valid routine primary keys, which may reduce exploitability. However, in environments with many users and predictable or sequential PKs, the risk of unauthorized data access increases. Since no known exploits exist yet, the threat is currently theoretical but should be addressed proactively.

Organizations using wger versions 2.4 or earlier should upgrade immediately to the patched version containing commit e964328784e2ee2830a1991d69fadbce86ac9fbf or later, which scopes cache keys by user ID to prevent unauthorized access. If upgrading is not immediately feasible, administrators should consider disabling caching on the affected routine detail endpoints to eliminate the vulnerability vector. Additionally, implementing strict API access controls and monitoring for unusual access patterns to routine details can help detect exploitation attempts. Developers should review other caching mechanisms in the application to ensure user scoping is consistently applied. Finally, educating users about the importance of strong authentication and limiting exposure of routine identifiers can reduce the risk of exploitation.