CVE-2026-43977: wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API

Any authenticated user can read another user’s private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own.

The RoutinePermission class grants read access to any authenticated user when a routine has is_template=True, regardless of ownership. The /logs/ and /stats/ API actions use the same permission check but return the routine owner’s personal training data instead of the requesting user’s data, creating an insecure direct object reference (IDOR).

An attacker with a free account can enumerate all public template routine IDs via GET /api/v2/routine/?is_template=true, then call GET /api/v2/routine/{id}/logs/ and GET /api/v2/routine/{id}/stats/ to access the owner’s private health data including workout notes, weights, repetitions, and performance statistics.