Description
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
Published: 2026-05-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Wagtail allows a user with limited page access to copy an unrelated page, bypassing source‑page permission checks. Once copied, the user can view and publish the content. The flaw is a classic permission mis‑management issue (CWE‑280). It enables unauthorized disclosure of content and accidental publication of restricted material.

Affected Systems

The vulnerability affects Wagtail CMS versions older than 7.0.7, 7.3.2, and 7.4. Users running any of these releases are at risk if they permit page copy actions to users who do not normally see those pages.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. Exploitation requires a valid user account with the ability to use the copy function; no remote code execution or elevated privileges outside the CMS are necessary. EPSS data is unavailable, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is through the web interface, where an authenticated user performs a page copy action that the system fails to constrain based on the source page’s permissions.

Generated by OpenCVE AI on May 11, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wagtail to the fixed release – 7.0.7, 7.3.2, or 7.4 – as soon as possible.
  • Limit copy permissions in user groups or custom roles so that only trusted users can copy pages.
  • Set up auditing of page copy actions to detect any unauthorized copies and review activity logs regularly.

Generated by OpenCVE AI on May 11, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-67rv-mg8q-5pf3 Wagtail has improper permission handling when copying pages
History

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Torchbox
Torchbox wagtail
CPEs cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*
Vendors & Products Torchbox
Torchbox wagtail

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Wagtail
Wagtail wagtail
Vendors & Products Wagtail
Wagtail wagtail

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
Title Wagtail: Improper permission handling when copying pages
Weaknesses CWE-280
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Torchbox Wagtail
Wagtail Wagtail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T19:07:11.475Z

Reserved: 2026-05-05T15:13:47.570Z

Link: CVE-2026-44200

cve-icon Vulnrichment

Updated: 2026-05-11T18:54:18.966Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T16:17:35.713

Modified: 2026-05-12T15:57:27.673

Link: CVE-2026-44200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:15:39Z

Weaknesses