PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43977 wger-project CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T23:16:16.167Z and has not been modified since then. The vulnerability exists in wger Workout and Fitness Manager versions prior to 2.6, allowing any authenticated user to read another user's private workout session notes, exercise history, and training statistics. This issue has been fixed in version 2.6. Users should review their current version and update if necessary.

Vendor
wger-project
Product
wger
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of wger Workout and Fitness Manager versions prior to 2.6 should update to the latest version to prevent unauthorized access to private workout session notes, exercise history, and training statistics. Operators, platform administrators, vulnerability management teams, and security teams should review their current deployments and plan for updates or mitigations.

Technical summary

In wger Workout and Fitness Manager versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The vulnerability exists in RoutineViewSet (wger/manager/api/views.py) due to a flawed permission check (RoutinePermission.has_object_permission) that grants read access to any authenticated user when the routine has is_template=True, regardless of ownership. This issue has been fixed in version 2.6.

Defensive priority

High priority should be given to updating wger Workout and Fitness Manager to version 2.6 or later to mitigate this vulnerability. Additional defensive measures include restricting access to /logs/ and /stats/ actions and monitoring for suspicious activity.

Recommended defensive actions

  • Update wger Workout and Fitness Manager to version 2.6 or later
  • Restrict access to /logs/ and /stats/ actions to authorized users only
  • Monitor for suspicious activity on the wger Workout and Fitness Manager instance
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability was reported in the wger Workout and Fitness Manager versions prior to 2.6. The CVE record was published on 2026-07-16T23:16:16.167Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. Evidence is limited to public sources and may not reflect the full scope of affected systems or potential impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T23:16:16.167Z and has not been modified since then.