CVE-2026-27839 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the wger-project's wger application, a free and open-source workout and fitness manager. In versions up to and including 2.4, three endpoints related to nutritional_values retrieve data using raw Django ORM calls: Model.objects.get(pk=pk). These calls bypass the intended user-scoped queryset filtering, which should restrict data access to the authenticated user's own records. Because the primary key (pk) is user-controlled and not validated against the requesting user's permissions, an authenticated attacker can supply arbitrary PK values to access other users' private nutrition plans. This includes sensitive personal health data such as caloric intake and detailed macronutrient breakdowns, which could be leveraged for privacy violations or profiling. The vulnerability requires the attacker to be authenticated but does not require additional user interaction. The flaw does not affect data integrity or availability, only confidentiality. The issue was addressed in a code commit (29876a1954fe959e4b58ef070170e81703dab60e) that presumably added proper user-scoped filtering or permission checks to these endpoints. No public exploits are known, and the CVSS v3.1 base score is 4.3, reflecting a medium severity level primarily due to confidentiality impact and ease of exploitation by authenticated users.

The primary impact of this vulnerability is unauthorized disclosure of private user data, specifically nutrition plans containing caloric and macronutrient information. For organizations or individuals using wger to manage fitness and dietary data, this could lead to privacy breaches, loss of user trust, and potential regulatory compliance issues related to personal data protection (e.g., GDPR). While the data exposed is not directly related to financial or critical operational information, it is sensitive personal health data that could be misused for profiling or social engineering. Since exploitation requires authentication, the risk is limited to insiders or users with valid accounts, reducing the scope of impact compared to a public unauthenticated flaw. However, in environments where multiple users share the same deployment (e.g., gyms, fitness centers, or corporate wellness programs), this could allow users to spy on others’ private health data. There is no impact on data integrity or system availability, so operational disruption is unlikely. The absence of known exploits suggests limited active targeting, but the vulnerability should be remediated promptly to prevent potential abuse.

Organizations using wger should immediately upgrade to a version that includes the fix from commit 29876a1954fe959e4b58ef070170e81703dab60e or later. If upgrading is not immediately possible, administrators should implement strict access controls at the application or database level to ensure users can only access their own nutrition data. This could include adding middleware or API gateway rules that enforce user-scoped filtering on all requests to nutritional_values endpoints. Code audits should be conducted to identify any other endpoints that use raw ORM calls without proper authorization checks. Logging and monitoring should be enhanced to detect unusual access patterns, such as users requesting multiple arbitrary PKs. User education about the importance of strong authentication and account security can reduce the risk of compromised accounts being used to exploit this flaw. Finally, organizations should review their privacy policies and notify affected users if unauthorized data access is suspected.