Description
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
Published: 2026-05-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue is an improper privilege check that allows users who cannot edit a page to compare two revisions of that page if they know the revisions’ primary keys. By viewing the comparison view, the attacker can read content from both revisions, thereby leaking information that should be restricted. This flaw is a typical example of improper privilege escalation, classified as CWE‑280.

Affected Systems

Affected installations are those running Wagtail versions earlier than 7.0.7, 7.3.2, or 7.4. Users with standard (non‑editor) permissions are impacted because the vulnerability bypasses the permission gate. Upgrading to any supported release that includes the fix removes the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score is not listed, suggesting limited publicly documented exploitation at this time. The flaw can be exploited without authentication beyond a basic user account, and the attacker only needs to know two revision identifiers, which could be guessed or discovered through enumeration. The vulnerability is not yet catalogued in CISA’s KEV, but administrators should treat it as a potential disclosure risk.

Generated by OpenCVE AI on May 11, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wagtail to version 7.0.7 or later, 7.3.2 or later, or 7.4 or later, which incorporate the fix for the privilege check.
  • Reconfigure the CMS permission model so that only users with edit rights can access the revision comparison endpoint, removing the exposure for standard users.
  • If an upgrade cannot be performed immediately, block or rate‑limit access to the comparison view for non‑editor accounts through server or application configuration to mitigate the risk until a patch is applied.

Generated by OpenCVE AI on May 11, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c6wj-9vcj-75pj Wagtail has improper permission handling when comparing revisions
History

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Torchbox
Torchbox wagtail
CPEs cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*
Vendors & Products Torchbox
Torchbox wagtail

Mon, 11 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wagtail
Wagtail wagtail
Vendors & Products Wagtail
Wagtail wagtail

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
Title Wagtail: Improper permission handling when comparing revisions
Weaknesses CWE-280
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Torchbox Wagtail
Wagtail Wagtail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T14:39:25.356Z

Reserved: 2026-05-05T15:13:47.570Z

Link: CVE-2026-44197

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T16:17:34.823

Modified: 2026-05-12T15:58:58.510

Link: CVE-2026-44197

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:00:15Z

Weaknesses