Authorization bypass through user-controlled key in wger - CVE-2026-43977
Published: May 18, 2026
Vulnerability identifier: #VU131757
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-43977
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: wger Project
Affected software:
wger
wger
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the RoutineViewSet /logs/ and /stats/ API actions when handling requests for template routines not owned by the requester. A remote attacker can send crafted requests to read another user's private workout session notes, exercise history, and training statistics.
Exploitation is possible against routines marked as public templates, and routine IDs can be enumerated via the routine listing endpoint.
How to mitigate CVE-2026-43977
Install security update from vendor's website.