CVE-2026-27838: wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

February 26, 2026

Five routine detail action endpoints check a cache before calling self.get_object(). Cache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check.

References

github.com/advisories/GHSA-42cr-w2gr-m54q
github.com/wger-project/wger
github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q
nvd.nist.gov/vuln/detail/CVE-2026-27838

Code Behaviors & Features

Detect and mitigate CVE-2026-27838 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →