GHSA-42cr-w2gr-m54q

Suggest an improvement
Source
https://github.com/advisories/GHSA-42cr-w2gr-m54q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-42cr-w2gr-m54q/GHSA-42cr-w2gr-m54q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-42cr-w2gr-m54q
Aliases
  • CVE-2026-27838
Published
2026-02-26T22:15:30Z
Modified
2026-02-27T00:09:08.610189Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
Details

Summary

Five routine detail action endpoints check a cache before calling self.get_object(). Cache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check.

Details

wger/manager/api/views.py — five actions follow this pattern (lines 134–201):

@action(detail=True)
def date_sequence_display_mode(self, request, pk=None):
    cache_key = make_routine_api_date_sequence_display_cache_key(pk)
    cached = cache.get(cache_key)
    if cached:
        return Response(cached)   # returned WITHOUT calling self.get_object()
    # only reaches ownership check on cache miss
    routine = self.get_object()
    ...

Cache key construction in wger/utils/cache.py:89–106:

def make_routine_api_date_sequence_display_cache_key(routine_id):
    return f"routine-api-date-sequence-display-{routine_id}"
    # No user ID in key

Cache TTL: 1 month (4 * 604800 seconds, settings_global.py:461).

Affected endpoints:

GET /api/v2/routine/{pk}/date-sequence-display/
GET /api/v2/routine/{pk}/date-sequence-gym/
GET /api/v2/routine/{pk}/structure/
GET /api/v2/routine/{pk}/logs/
GET /api/v2/routine/{pk}/stats/

PoC

1. Victim (user A) visits GET /api/v2/routine/5/structure/ → response cached under key "routine-api-structure-5"
2. Attacker (user B) visits GET /api/v2/routine/5/structure/ → cache hit → returns user A's routine structure without any ownership check

Requires the victim to have previously accessed the endpoint (cache must be populated). Once populated, the cache entry is valid for 1 month.

Impact

An attacker with a registered account can retrieve another user's routine details — workout day sequences, exercise structure, training logs, and statistics — from cache without ownership verification.

Fix: Include the user ID in the cache key:

def make_routine_api_date_sequence_display_cache_key(routine_id, user_id):
    return f"routine-api-date-sequence-display-{user_id}-{routine_id}"

Or move self.get_object() before the cache lookup so ownership is always verified first.

Database specific 
{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-02-26T22:15:30Z",
    "github_reviewed": true,
    "severity": "LOW",
    "cwe_ids": [
        "CWE-639"
    ]
}
References

Affected packages

PyPI / wger

Package

Name
wger
View open source insights on deps.dev
Purl
pkg:pypi/wger

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.1

Affected versions

1.*
1.1
1.1.1
1.2rc1
1.2
1.3
1.4
1.5
1.6
1.6.1
1.7
1.8
1.9
2.*
2.0
2.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-42cr-w2gr-m54q/GHSA-42cr-w2gr-m54q.json"