CVE-2026-27835
wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
Description
### Summary `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. ### Details `wger/manager/api/views.py:499` and `:518`: ```python # VULNERABLE class RepetitionsConfigViewSet(viewsets.ModelViewSet): def get_queryset(self): return RepetitionsConfig.objects.all() class MaxRepetitionsConfigViewSet(viewsets.ModelViewSet): def get_queryset(self): return MaxRepetitionsConfig.objects.all() ``` Every sibling viewset in the same file correctly filters by user. For example, `WeightConfigViewSet` at line 459: ```python # CORRECT — how it should work def get_queryset(self): return WeightConfig.objects.filter( slot_entry__slot__day__routine__user=self.request.user ) ``` The same user filter is present on `SetsConfig`, `RestConfig`, `RiRConfig`, and their Max variants — only `RepetitionsConfig` and `MaxRepetitionsConfig` are missing it. ### PoC ```python import requests BASE = "http://localhost" headers = {"Authorization": "Token YOUR_TOKEN"} # any registered user r = requests.get(f"{BASE}/api/v2/repetitions-config/", headers=headers) print(r.json()) # returns ALL users' repetition configs, not just your own r = requests.get(f"{BASE}/api/v2/max-repetitions-config/", headers=headers) print(r.json()) # same — all users' max repetition configs ``` Registration is open by default. Sequential IDs allow full enumeration. ### Impact Any authenticated user can read other users' repetition and max-repetitions configs, exposing workout structure (slot entry IDs, iteration values, operations, step counts, repeat flags, requirements JSON). This is a broken object-level authorization (BOLA/IDOR) vulnerability — the same class of issue as OWASP API1. **Fix**: Add the same user filter used by every other config viewset: ```python def get_queryset(self): return RepetitionsConfig.objects.filter( slot_entry__slot__day__routine__user=self.request.user ) ```
How to fix CVE-2026-27835
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed