CVE-2026-27839: wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup

February 26, 2026

Three nutritional_values action endpoints fetch objects via Model.objects.get(pk=pk) — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user’s private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK.

References

github.com/advisories/GHSA-g8gc-6c4h-jg86
github.com/wger-project/wger
github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86
nvd.nist.gov/vuln/detail/CVE-2026-27839

Code Behaviors & Features

Detect and mitigate CVE-2026-27839 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →