{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27839", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.801Z", "datePublished": "2026-02-26T22:07:43.640Z", "dateUpdated": "2026-02-26T22:07:43.640Z"}, "containers": {"cna": {"title": "wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86"}, {"name": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e", "tags": ["x_refsource_MISC"], "url": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e"}], "affected": [{"vendor": "wger-project", "product": "wger", "versions": [{"version": "<= 2.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:07:43.640Z"}, "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` \u2014 a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue."}], "source": {"advisory": "GHSA-g8gc-6c4h-jg86", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` \u2014 a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue."}, {"lang": "es", "value": "wger es un gestor gratuito y de c\u00f3digo abierto de entrenamientos y estado f\u00edsico. En las versiones hasta la 2.4 inclusive, tres puntos finales de acci\u00f3n 'nutritional_values' recuperan objetos a trav\u00e9s de 'Model.objects.get(pk=pk)' \u2014 una llamada ORM directa que omite el queryset con \u00e1mbito de usuario. Cualquier usuario autenticado puede leer los datos del plan de nutrici\u00f3n privado de otro usuario, incluyendo la ingesta cal\u00f3rica y el desglose completo de macronutrientes, al proporcionar un PK arbitrario. El commit 29876a1954fe959e4b58ef070170e81703dab60e contiene una soluci\u00f3n para el problema."}], "id": "CVE-2026-27839", "lastModified": "2026-02-27T14:06:37.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T23:16:35.123", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e"}, {"source": "security-advisories@github.com", "url": "https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "wger", "vendor": "wger-project"}], "created": "2026-02-27T09:03:58.306974+00:00", "updated": "2026-02-27T09:03:58.307043+00:00", "vendors": ["wger-project", "wger-project$PRODUCT$wger"]}