CVE-2026-27839: CWE-639: Authorization Bypass Through User-Controlled Key in wger-project wger
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.
AI Analysis
Technical Summary
CVE-2026-27839 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the wger-project's fitness management software, specifically versions up to and including 2.4. The issue stems from the implementation of three 'nutritional_values' action endpoints that retrieve data objects using raw Django ORM calls (Model.objects.get(pk=pk)) without filtering by the authenticated user's scope. This means that while the endpoints require authentication, they do not restrict access to only the requesting user's data. Consequently, an authenticated user can supply arbitrary primary key values to access other users' private nutrition plans, exposing sensitive personal health information such as caloric intake and detailed macronutrient breakdowns. The vulnerability does not allow modification or deletion of data, only unauthorized read access. The flaw was addressed in a code commit identified by hash 29876a1954fe959e4b58ef070170e81703dab60e, which presumably added proper user-scoped filtering to the ORM queries. The CVSS v3.1 base score is 4.3, reflecting low complexity of attack (network vector, low attack complexity), requiring privileges (authenticated user), no user interaction, and limited confidentiality impact. No known exploits have been reported in the wild as of the publication date. This vulnerability highlights the importance of enforcing strict access controls and user scoping in multi-tenant applications, especially those handling sensitive personal data.
Potential Impact
The primary impact of CVE-2026-27839 is the unauthorized disclosure of sensitive personal health information, specifically users' private nutrition plans including caloric intake and macronutrient details. For organizations and individuals relying on wger for fitness and dietary management, this breach of confidentiality can lead to privacy violations and potential regulatory non-compliance, especially under data protection laws like GDPR or HIPAA if applicable. Although the vulnerability does not allow data modification or denial of service, the exposure of personal health data can damage user trust and the reputation of service providers using wger. In environments where fitness data is linked to broader health records or used for personalized medical advice, unauthorized access could have more serious implications. Since exploitation requires authentication, the risk is limited to insiders or compromised accounts, but this still represents a significant privacy concern. Organizations worldwide using affected versions of wger should consider this a medium-severity risk that warrants timely remediation to prevent data leakage.
Mitigation Recommendations
To mitigate CVE-2026-27839, organizations should immediately upgrade wger to a version that includes the fix from commit 29876a1954fe959e4b58ef070170e81703dab60e or later. If upgrading is not immediately feasible, apply custom patches to ensure that all ORM queries fetching user-specific data enforce strict user-scoped filtering, verifying that the authenticated user can only access their own records. Conduct a thorough code review of all endpoints handling sensitive user data to confirm proper authorization checks are in place. Implement logging and monitoring to detect unusual access patterns, such as authenticated users requesting data with arbitrary primary keys. Enforce strong authentication mechanisms and consider multi-factor authentication to reduce the risk of account compromise. Educate users about the importance of safeguarding their credentials. Finally, review data privacy policies and ensure compliance with relevant regulations, preparing incident response plans in case of data exposure.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Netherlands, Sweden, Japan, South Korea
CVE-2026-27839: CWE-639: Authorization Bypass Through User-Controlled Key in wger-project wger
Description
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.
AI-Powered Analysis
Technical Analysis
CVE-2026-27839 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the wger-project's fitness management software, specifically versions up to and including 2.4. The issue stems from the implementation of three 'nutritional_values' action endpoints that retrieve data objects using raw Django ORM calls (Model.objects.get(pk=pk)) without filtering by the authenticated user's scope. This means that while the endpoints require authentication, they do not restrict access to only the requesting user's data. Consequently, an authenticated user can supply arbitrary primary key values to access other users' private nutrition plans, exposing sensitive personal health information such as caloric intake and detailed macronutrient breakdowns. The vulnerability does not allow modification or deletion of data, only unauthorized read access. The flaw was addressed in a code commit identified by hash 29876a1954fe959e4b58ef070170e81703dab60e, which presumably added proper user-scoped filtering to the ORM queries. The CVSS v3.1 base score is 4.3, reflecting low complexity of attack (network vector, low attack complexity), requiring privileges (authenticated user), no user interaction, and limited confidentiality impact. No known exploits have been reported in the wild as of the publication date. This vulnerability highlights the importance of enforcing strict access controls and user scoping in multi-tenant applications, especially those handling sensitive personal data.
Potential Impact
The primary impact of CVE-2026-27839 is the unauthorized disclosure of sensitive personal health information, specifically users' private nutrition plans including caloric intake and macronutrient details. For organizations and individuals relying on wger for fitness and dietary management, this breach of confidentiality can lead to privacy violations and potential regulatory non-compliance, especially under data protection laws like GDPR or HIPAA if applicable. Although the vulnerability does not allow data modification or denial of service, the exposure of personal health data can damage user trust and the reputation of service providers using wger. In environments where fitness data is linked to broader health records or used for personalized medical advice, unauthorized access could have more serious implications. Since exploitation requires authentication, the risk is limited to insiders or compromised accounts, but this still represents a significant privacy concern. Organizations worldwide using affected versions of wger should consider this a medium-severity risk that warrants timely remediation to prevent data leakage.
Mitigation Recommendations
To mitigate CVE-2026-27839, organizations should immediately upgrade wger to a version that includes the fix from commit 29876a1954fe959e4b58ef070170e81703dab60e or later. If upgrading is not immediately feasible, apply custom patches to ensure that all ORM queries fetching user-specific data enforce strict user-scoped filtering, verifying that the authenticated user can only access their own records. Conduct a thorough code review of all endpoints handling sensitive user data to confirm proper authorization checks are in place. Implement logging and monitoring to detect unusual access patterns, such as authenticated users requesting data with arbitrary primary keys. Enforce strong authentication mechanisms and consider multi-factor authentication to reduce the risk of account compromise. Educate users about the importance of safeguarding their credentials. Finally, review data privacy policies and ensure compliance with relevant regulations, preparing incident response plans in case of data exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-24T02:32:39.801Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69a0c89232ffcdb8a2524560
Added to database: 2/26/2026, 10:26:26 PM
Last enriched: 2/26/2026, 10:42:40 PM
Last updated: 2/26/2026, 11:38:47 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-71228
UnknownCVE-2025-71226
UnknownCVE-2026-25851: CWE-306 in Chargemap chargemap.com
CriticalCVE-2026-25711: CWE-613 in Chargemap chargemap.com
HighCVE-2026-20792: CWE-307 in Chargemap chargemap.com
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.