PatchSiren cyber security CVE debrief
CVE-2026-43977 wger-project CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T23:16:16.167Z and has not been modified since then. The vulnerability exists in wger Workout and Fitness Manager versions prior to 2.6, allowing any authenticated user to read another user's private workout session notes, exercise history, and training statistics. This issue has been fixed in version 2.6. Users should review their current version and update if necessary.
- Vendor
- wger-project
- Product
- wger
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of wger Workout and Fitness Manager versions prior to 2.6 should update to the latest version to prevent unauthorized access to private workout session notes, exercise history, and training statistics. Operators, platform administrators, vulnerability management teams, and security teams should review their current deployments and plan for updates or mitigations.
Technical summary
In wger Workout and Fitness Manager versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The vulnerability exists in RoutineViewSet (wger/manager/api/views.py) due to a flawed permission check (RoutinePermission.has_object_permission) that grants read access to any authenticated user when the routine has is_template=True, regardless of ownership. This issue has been fixed in version 2.6.
Defensive priority
High priority should be given to updating wger Workout and Fitness Manager to version 2.6 or later to mitigate this vulnerability. Additional defensive measures include restricting access to /logs/ and /stats/ actions and monitoring for suspicious activity.
Recommended defensive actions
- Update wger Workout and Fitness Manager to version 2.6 or later
- Restrict access to /logs/ and /stats/ actions to authorized users only
- Monitor for suspicious activity on the wger Workout and Fitness Manager instance
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The vulnerability was reported in the wger Workout and Fitness Manager versions prior to 2.6. The CVE record was published on 2026-07-16T23:16:16.167Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. Evidence is limited to public sources and may not reflect the full scope of affected systems or potential impact.
Official resources
-
CVE-2026-43977 CVE record
CVE.org
-
CVE-2026-43977 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T23:16:16.167Z and has not been modified since then.