Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-cj9g-27ph-4cgv | wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API |
Fri, 17 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 17 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Wger-project
Wger-project wger |
|
| Vendors & Products |
Wger-project
Wger-project wger |
Thu, 16 Jul 2026 22:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | wger is a free, open-source workout and fitness manager. In versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The vulnerability exists in RoutineViewSet (wger/manager/api/views.py). The view defines two custom actions /logs/ and /stats/ that are intended to return data for the requesting user's own training history within a routine. However, the underlying permission check (RoutinePermission.has_object_permission) grants read access to any authenticated user when the routine has is_template=True, regardless of ownership. When the /logs/ or /stats/ actions are invoked against a routine the attacker does not own, they return the owner's private workout history, not the attacker's. This issue has been fixed in version 2.6. | |
| Title | wger IDOR: Authenticated Users Can Read Others' Private Workout Session Data via Template Routine API | |
| Weaknesses | CWE-639 CWE-863 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T13:14:37.507Z
Reserved: 2026-05-04T20:24:31.916Z
Link: CVE-2026-43977
Updated: 2026-07-17T13:13:13.162Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T00:00:07Z
Github GHSA