Description
Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.
Published: 2026-02-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data exposure via admin preview rendering
Action: Immediate Patch
AI Analysis

Impact

Wagtail, an open‑source CMS built on Django, contained a missing permission check on its preview endpoints. A user who can log in to the Wagtail admin area and knows a model's field names can submit a crafted form to request a preview rendering of any page, snippet, or site‑setting object that has previewing enabled. The rendered preview uses whatever data the attacker supplies, and because the template may reference other database fields, the response can leak content that normally requires edit rights. The vulnerability does not expose the object's existing data, but it can reveal other protected data. An unauthenticated visitor cannot trigger the flaw.

Affected Systems

Vulnerable versions are all releases of Wagtail before 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3. These are the versions for the 6.x and 7.x major lines. The issue has been fixed in the releases listed above. The affected product is the Wagtail CMS distributed by Torchbox.

Risk and Exploitability

CVSS score 5.1 indicates medium severity. EPSS score below 1% suggests low probability of exploitation observed at the time of analysis, and the vulnerability is not yet in CISA's Known Exploited Vulnerabilities catalog. Exploitation requires administrative access to Wagtail and knowledge of model structure, so the attack surface is limited to authenticated insiders or attackers who have compromised an admin account. If used, the flaw could allow an attacker to render arbitrary data in page previews and potentially reveal sensitive information that would otherwise be protected by edit permissions.

Generated by OpenCVE AI on April 17, 2026 at 23:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wagtail to a patched release (6.3.6, 7.0.4, 7.1.3, 7.2.2, or 7.3).
  • If an upgrade is not feasible, disable preview functionality for models that do not need it or restrict preview access to users with edit permissions, e.g., by adding a permission check in the view logic.
  • Ensure that preview endpoints are not exposed to unauthenticated users and that the admin account is protected by strong authentication such as multi‑factor authentication.

Generated by OpenCVE AI on April 17, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4qvv-g3vr-m348 Wagtail has improper permission handling on admin preview endpoints
History

Fri, 20 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Torchbox
Torchbox wagtail
CPEs cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*
Vendors & Products Torchbox
Torchbox wagtail
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wagtail
Wagtail wagtail
Vendors & Products Wagtail
Wagtail wagtail

Wed, 04 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.
Title Wagtail has improper permission handling on admin preview endpoints
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Torchbox Wagtail
Wagtail Wagtail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:32:08.136Z

Reserved: 2026-02-02T18:21:42.487Z

Link: CVE-2026-25517

cve-icon Vulnrichment

Updated: 2026-02-05T14:20:12.680Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T21:16:02.540

Modified: 2026-02-20T21:20:34.090

Link: CVE-2026-25517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses