CVE-2026-27835: Do You Even Lift? The wger Workout Leak
Vulnerability ID: CVE-2026-27835
CVSS Score: 4.3
Published: 2026-02-26
A classic Insecure Direct Object Reference (IDOR) vulnerability in the wger Workout Manager allows authenticated users to access the repetition configurations of every other user on the platform. Due to a failure to filter API querysets by the requesting user, the application serves up the entire database's workout structure to anyone with a valid account.
TL;DR
The wger API forgot to filter database queries by the current user. Authenticated attackers can query specific endpoints to dump the repetition configurations (sets, reps, workout structure) of all users on the instance.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-639
- Attack Vector: Network (API)
- CVSS v3.1: 4.3 (Medium)
- Impact: Information Disclosure
- Exploit Status: PoC Available
- Authentication: Required (Low Privilege)
Affected Systems
- wger Workout Manager <= 2.4
-
wger: <= 2.4 (Fixed in:
commit 1fda569)
Code Analysis
Commit: 1fda569
Fix IDOR in repetition config viewsets
Exploit Details
- GitHub Advisory: PoC demonstrating enumeration of repetition configs via curl
Mitigation Strategies
- Upgrade wger to a version post-commit 1fda569
- Implement strong object-level permission checks in all API viewsets
- Audit all API endpoints that return lists (Model.objects.all())
Remediation Steps:
- Pull the latest changes from the wger GitHub repository.
- Restart the application server (gunicorn/uwsgi).
- Verify the fix by attempting to access a known ID of another user via the API.
References
Read the full report for CVE-2026-27835 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)