CVE-2026-27838

Name of the Vulnerable Software and Affected Versions wger versions prior to 2.4

Description The software contains a flaw where routine detail action endpoints check a cache before verifying object ownership using self.get object(). Cache keys are scoped only by the primary key (pk) and do not include the user ID. This allows an attacker to retrieve cached responses for a routine's primary key without proper authorization, if the victim has previously accessed the routine via the API. The affected API endpoints are: '/api/v2/routine/{pk}/date-sequence-display/', '/api/v2/routine/{pk}/date-sequence-gym/', '/api/v2/routine/{pk}/structure/', '/api/v2/routine/{pk}/logs/', and '/api/v2/routine/{pk}/stats/'. The vulnerable variable used in the cache key construction is routine id. An attacker can potentially retrieve another user's routine details, including workout day sequences, exercise structure, training logs, and statistics, from the cache without ownership verification. The cache time-to-live (TTL) is one month.

Recommendations Versions prior to 2.4: Include the user ID in the cache key construction to uniquely identify cached responses for each user. Alternatively, move the self.get object() function call before the cache lookup to ensure ownership is always verified first.