Description
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
Published: 2026-05-11
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Wagtail, a Django-based content management system, has a flaw where users who cannot edit a page still have access to that page's history report. This improper permission handling can lead to disclosure of sensitive page data. The weakness is identified as CWE-280.

Affected Systems

The issue affects Wagtail releases older than 7.0.7, 7.3.2, and 7.4, including any site running those versions.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate severity; no EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. It can be exploited by an authenticated user with read-only or limited permissions who poses as a CMS visitor and accesses the page history endpoint through the web interface—an inference based on the disclosed functionality.

Generated by OpenCVE AI on May 11, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wagtail installation to version 7.0.7, 7.3.2, or 7.4, which contain the permission fix.
  • Configure role-based access controls so that only users with explicit edit or management rights can view page history, and verify that no other roles have residual "view history" permission.
  • Test the page history feature with a non-editor account to confirm that the page history is no longer accessible.

Generated by OpenCVE AI on May 11, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c4mr-889m-vgf6 Wagtail has improper permission handling when viewing page history
History

Mon, 11 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Wagtail
Wagtail wagtail
Vendors & Products Wagtail
Wagtail wagtail

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
Title Wagtail: Improper permission handling when viewing page history
Weaknesses CWE-280
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wagtail Wagtail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T15:53:39.449Z

Reserved: 2026-05-05T15:13:47.570Z

Link: CVE-2026-44198

cve-icon Vulnrichment

Updated: 2026-05-11T15:53:35.729Z

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:35.057

Modified: 2026-05-11T16:17:35.057

Link: CVE-2026-44198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:30:15Z

Weaknesses