Vulnerabilities ›

CVE-2026-27838

Low ⚡ Exploit Available

CWE-639 — Weakness Type

                    Published: Feb 26, 2026                      ·  Modified: Mar 5, 2026                      ·  Source: NVD                

CVSS v3

3.1

🔗 NVD Official

📄 Description (English)

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue.

🤖 AI Executive Summary

Wger fitness manager versions up to 2.4 have an improper cache key scoping vulnerability where routine details are cached by primary key only, allowing attackers to access other users' cached routine data. The vulnerability requires prior victim access and affects only cached responses, limiting its practical impact.

📄 Description (Arabic)

يحتوي إصدار wger 2.4 وما قبله على ضعف في نطاق مفتاح التخزين المؤقت حيث يتم تخزين تفاصيل الروتين مؤقتاً باستخدام معرف أساسي فقط دون تضمين معرف المستخدم. يمكن للمهاجمين الوصول إلى البيانات المخزنة مؤقتاً لمستخدمين آخرين إذا كانوا قد وصلوا سابقاً إلى نفس معرف الروتين عبر واجهة برمجية التطبيقات.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 08:34

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: low

🏢 Affected Saudi Sectors

healthcare

🎯 MITRE ATT&CK Techniques

T1555

⚖️ Saudi Risk Score (AI)

3.0

/ 10.0

🔧 Remediation Steps (English)

Update wger to version 2.5 or later which includes commit e964328784e2ee2830a1991d69fadbce86ac9fbf that properly scopes cache keys by both primary key and user ID. Organizations should also review access logs for unauthorized routine data access.

🔧 خطوات المعالجة (العربية)

قم بتحديث wger إلى الإصدار 2.5 أو أحدث الذي يتضمن الإصلاح الذي يقيد مفاتيح التخزين المؤقت بشكل صحيح بناءً على معرف المستخدم ومفتاح البيانات الأساسي. يجب على المنظمات أيضاً مراجعة سجلات الوصول للكشف عن أي وصول غير مصرح به لبيانات الروتين.

📋 Regulatory Compliance Mapping

🟡 ISO 27001:2022

A.14.2.1

🔗 References & Sources 2

🔗

https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbf

security-advisories@github.com

Patch

🔗

https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q

security-advisories@github.com

Exploit Vendor Advisory

📦 Affected Products / CPE 1 entries

wger:wger

📊 CVSS Score

3.1

/ 10.0 — Low

📊 CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityH — High

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity Low

CVSS Score3.1

CWECWE-639

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-02-26

Source Feed nvd

🇸🇦 Saudi Risk Score

3.0

/ 10.0 — Saudi Risk

Priority: LOW

🏷️ Tags

exploit-available patch-available CWE-639

🏢 Vendor Advisories

🔗 https://github.com/wger-project/wger/security/adviso...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-27838

💬 Comments

Introduce Yourself

Sign In Required