DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27839: Lifting the Lid on wger: IDOR in the Nutrition API

#security #cve #cybersecurity

Lifting the Lid on wger: IDOR in the Nutrition API

Vulnerability ID: CVE-2026-27839
CVSS Score: 4.3
Published: 2026-02-26

A classic Insecure Direct Object Reference (IDOR) vulnerability in the 'wger' workout manager allows authenticated users to access the nutritional plans of any other user. By bypassing Django REST Framework's object-level permission checks, the API serves up full macro breakdowns and caloric data for arbitrary IDs.

TL;DR

The wger fitness manager application failed to verify object ownership in its nutrition API endpoints. Developers used raw ORM lookups instead of framework-secure methods, allowing any logged-in user to iterate through database IDs and download the dietary habits (macros, calories) of every other user on the platform.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-639 (IDOR)
  • CVSS v3.1: 4.3 (Medium)
  • Attack Vector: Network (Authenticated)
  • Impact: Confidentiality Loss (Low)
  • Affected Component: NutritionPlanViewSet
  • Exploit Status: PoC Available

Affected Systems

  • wger Workout Manager (nutrition module)
  • wger: <= 2.4 (Fixed in: Commit 29876a1954fe959e4b58ef070170e81703dab60e)

Code Analysis

Commit: 29876a1

Fix IDOR in nutritional values endpoint

--- a/wger/nutrition/api/views.py
+++ b/wger/nutrition/api/views.py
@@ -298,7 +298,7 @@
-            NutritionPlan.objects.get(pk=pk).get_nutritional_values()['total'],
+            self.get_object().get_nutritional_values()['total'],
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update wger to the latest version immediately.
  • Disable open registration if the instance is private/internal.
  • Implement rate limiting on API endpoints to slow down enumeration attacks.

Remediation Steps:

  1. Apply commit 29876a1954fe959e4b58ef070170e81703dab60e to your wger installation.
  2. Restart the Gunicorn/Django service.
  3. Verify the fix by attempting to access a nutrition plan ID that does not belong to your test user (should return 404).

References

Read the full report for CVE-2026-27839 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)