DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27838: Leaking Gains: The Cached IDOR in wger Fitness Manager

#security #cve #cybersecurity

Leaking Gains: The Cached IDOR in wger Fitness Manager

Vulnerability ID: CVE-2026-27838
CVSS Score: 3.1
Published: 2026-02-26

A classic case of 'premature optimization' leading to security failure. In the wger fitness manager, a caching mechanism designed to speed up API responses inadvertantly bypassed authentication checks. By generating cache keys based solely on the resource ID—ignoring the requesting user's identity—the application served private workout routines to unauthorized users, provided the victim had recently accessed the data.

TL;DR

The wger API cached workout routines using keys that didn't include the User ID. If User A viewed their workout, it was cached globally. User B could then request User A's workout ID, hit the cache, and receive the data without an ownership check.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
  • CVSS: 3.1 (Low)
  • Attack Vector: Network (API)
  • Exploit Requirements: Authenticated, Victim Interaction (Cache Priming)
  • Privileges Required: Low (Any valid user)
  • Status: Patched

Affected Systems

  • wger Workout Manager (Self-hosted)
  • wger SaaS
  • wger: <= 2.4 (Fixed in: 2.5 (implied post-commit))

Code Analysis

Commit: e964328

Fixed caching IDOR by scoping keys to user_id

- cache_key = CacheKeyMapper.routine_api_structure_key(pk)
+ cache_key = CacheKeyMapper.routine_api_structure_key(pk, request.user.id)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theory: Cache priming attack involving waiting for victim interaction.

Mitigation Strategies

  • Scope cache keys to the specific user (e.g., key + user_id).
  • Perform authorization checks (e.g., get_object()) BEFORE checking the cache.
  • Implement random UUIDs for resource IDs to prevent enumeration.

Remediation Steps:

  1. Update wger to a version post-commit e964328 (or version 2.5+).
  2. Clear the entire application cache (Redis/Memcached) immediately after patching to purge vulnerable unscoped keys.
  3. Review access logs for patterns of ID enumeration on /api/v2/routine/*/structure/.

References

Read the full report for CVE-2026-27838 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)