CVE-2026-44199 - Vulnerability Details

- Wagtail: Improper permission handling when deleting form submissions

Description

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Published: 2026-05-11

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Wagtail CMS versions before 7.0.7, 7.3.2, and 7.4 contain an improper permission handling flaw that allows a CMS user with limited access to form pages to delete submissions for pages they do not control. By crafting a delete request on a page they can access, the attacker can bypass authorization checks and erase or modify data that should be protected, compromising the integrity and availability of form data.

Affected Systems

The vulnerability affects all installations of Wagtail running versions earlier than 7.0.7, 7.3.2, or any 7.4.x version that has not applied the patch. Sites using these releases are susceptible until they upgrade to the fixed versions.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity; EPSS data is unavailable and the vulnerability is not listed in CISA KEV. Exploitation requires an authenticated account with limited permissions, so an ordinary site visitor cannot exploit it. A threat actor would need to obtain or impersonate such a user, making the overall risk moderate but requiring timely remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wagtail

affected

Version	Status	Constraints
`< 7.0.7`	affected	—
`>= 7.1, < 7.3.2`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:torchbox:wagtail::::::::
	cpe:2.3:a:torchbox:wagtail::::::::

No data.

Vendor Product Confidence Versions

Wagtail

100%

Version	Status	Scheme	Platform
`[0,7.0.7)`	affected	semver	—
`[7.1.0,7.3.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Wagtail to a patched release (7.0.7, 7.3.2, or any 7.4 version that incorporates the fix).
Review and tighten form page permissions to ensure only trusted staff can delete submissions, disabling delete functionality where it is not required.
Monitor administrative deletion logs and set alerts for anomalous or unauthorized deletion activity.

Generated by OpenCVE AI on May 11, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pwm3-7fv4-g6xx	Wagtail has improper permission handling when deleting form submissions

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx

History

Tue, 12 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Torchbox Torchbox wagtail
CPEs		cpe:2.3:a:torchbox:wagtail::::::::
Vendors & Products		Torchbox Torchbox wagtail

Mon, 11 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wagtail Wagtail wagtail
Vendors & Products		Wagtail Wagtail wagtail

Mon, 11 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
Title		Wagtail: Improper permission handling when deleting form submissions
Weaknesses		CWE-280
References		https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Torchbox Wagtail

Wagtail Wagtail

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T14:40:58.488Z

Updated: 2026-05-11T18:23:01.588Z

Reserved: 2026-05-05T15:13:47.570Z

Link: CVE-2026-44199

Vulnrichment

Updated: 2026-05-11T18:22:53.803Z

NVD

Status : Analyzed

Published: 2026-05-11T16:17:35.430

Modified: 2026-05-12T15:58:28.273

Link: CVE-2026-44199

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T17:00:15Z

Weaknesses

CWE-280

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object