CVE-2026-44199
Unauthorized Form Submission Deletion in Wagtail CMS
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wagtail | wagtail | to 7.0.7 (exc) |
| wagtail | wagtail | to 7.3.2 (exc) |
| wagtail | wagtail | to 7.4 (exc) |
| wagtail | wagtail | From 7.1 (inc) to 7.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-280 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing users with limited access to form pages to delete submissions they should not have permission to delete. This compromises the integrity of your data, as unauthorized deletion of form submissions can lead to loss of important information.
Since the vulnerability requires admin-level access, the risk is limited to trusted users who have some level of access, but it still poses a moderate threat with a CVSS score of 6.5.
Can you explain this vulnerability to me?
This vulnerability exists in Wagtail CMS versions prior to 7.0.7, 7.3.2, and 7.4. It allows a CMS user who has limited access to form pages to delete submissions from form pages they do not have access to. This is done by crafting a form submission to delete submissions on a page they do have access to, but targeting submissions they should not be able to delete. The vulnerability requires the user to have admin access to Wagtail and cannot be exploited by ordinary site visitors.
The issue is caused by improper handling of insufficient permissions (classified as CWE-280), allowing unauthorized deletion of form submissions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized deletion of form submissions by CMS users with limited access to form pages. Detection would require monitoring for unusual deletion activities on form submissions, especially deletions performed by users who should not have access to those submissions.
Since exploitation requires authenticated access to the Wagtail admin interface, network detection might focus on auditing admin user actions and reviewing logs for deletion requests on form submissions that do not align with user permissions.
No specific commands or detection tools are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wagtail CMS to a patched version where this vulnerability is fixed.
- Upgrade to Wagtail version 7.0.7, 7.3.2, or 7.4 or later.
Additionally, restrict admin access to trusted users only, as exploitation requires authenticated access to the Wagtail admin interface.