CVE-2026-44199
Received Received - Intake
Unauthorized Form Submission Deletion in Wagtail CMS

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-44199
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
wagtail wagtail to 7.0.7 (exc)
wagtail wagtail to 7.3.2 (exc)
wagtail wagtail to 7.4 (exc)
wagtail wagtail From 7.1 (inc) to 7.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-280 The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing users with limited access to form pages to delete submissions they should not have permission to delete. This compromises the integrity of your data, as unauthorized deletion of form submissions can lead to loss of important information.

Since the vulnerability requires admin-level access, the risk is limited to trusted users who have some level of access, but it still poses a moderate threat with a CVSS score of 6.5.

Executive Summary

This vulnerability exists in Wagtail CMS versions prior to 7.0.7, 7.3.2, and 7.4. It allows a CMS user who has limited access to form pages to delete submissions from form pages they do not have access to. This is done by crafting a form submission to delete submissions on a page they do have access to, but targeting submissions they should not be able to delete. The vulnerability requires the user to have admin access to Wagtail and cannot be exploited by ordinary site visitors.

The issue is caused by improper handling of insufficient permissions (classified as CWE-280), allowing unauthorized deletion of form submissions.

Detection Guidance

This vulnerability involves unauthorized deletion of form submissions by CMS users with limited access to form pages. Detection would require monitoring for unusual deletion activities on form submissions, especially deletions performed by users who should not have access to those submissions.

Since exploitation requires authenticated access to the Wagtail admin interface, network detection might focus on auditing admin user actions and reviewing logs for deletion requests on form submissions that do not align with user permissions.

No specific commands or detection tools are provided in the available information.

Mitigation Strategies

The primary mitigation step is to upgrade Wagtail CMS to a patched version where this vulnerability is fixed.

  • Upgrade to Wagtail version 7.0.7, 7.3.2, or 7.4 or later.

Additionally, restrict admin access to trusted users only, as exploitation requires authenticated access to the Wagtail admin interface.

Compliance Impact

This vulnerability allows users with limited access to form pages to delete submissions from pages they do not have permission to access, leading to unauthorized deletion of data.

Such unauthorized deletion of data can impact data integrity, which is a critical aspect of compliance with standards and regulations like GDPR and HIPAA that require proper protection and handling of personal and sensitive data.

However, exploitation requires Wagtail admin access, limiting the risk from ordinary site visitors.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44199. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart