Back to overview

CVE-2026-43977

HIGH
7.5
CVSS 3.1
Description
wger is a free, open-source workout and fitness manager. In versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The vulnerability exists in RoutineViewSet (wger/manager/api/views.py). The view defines two custom actions /logs/ and /stats/ that are intended to return data for the requesting user's own training history within a routine. However, the underlying permission check (RoutinePermission.has_object_permission) grants read access to any authenticated user when the routine has is_template=True, regardless of ownership. When the /logs/ or /stats/ actions are invoked against a routine the attacker does not own, they return the owner's private workout history, not the attacker's. This issue has been fixed in version 2.6.

Metadata

CVE ID
CVE-2026-43977
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-04 20:24 UTC
Published
2026-07-16 22:13 UTC
Last updated
2026-07-16 22:13 UTC
Primary CWE
CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product
wger-project / wger
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
wger-project wger < 2.6
Weakness (CWE)
CWESourceDescription
CWE-639 cna CWE-639: Authorization Bypass Through User-Controlled Key
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References (1)
Back to overview