Vulnerability DatabaseCVE-2026-27838
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-27838
February 26, 2026
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling "self.get_object()". In versions up to and including 2.4, ache keys are scoped only by "pk" — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue.
Related Resources (4)
https://github.com/wger-project/wger
https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbf
https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q
https://nvd.nist.gov/vuln/detail/CVE-2026-27838
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Authorization Bypass Through User-Controlled Key
CWE-639
EPSS
Base Score:
0.03