CVE-2026-44200
Received Received - Intake
Unauthorized Page Copy in Wagtail CMS

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-44200
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wagtail wagtail to 7.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-280 The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Wagtail CMS versions prior to 7.0.7, 7.3.2, and 7.4. It allows a user with limited access to certain pages to copy a page they do not have permission to access into an area of the site where they do have access.

The core issue is that permission checks were only performed on the destination location of the copied page, but not on the source page itself. This means unauthorized users could copy restricted content to accessible areas.

Once copied, the user could view the contents of the restricted page and potentially publish it, bypassing intended access controls.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive or restricted content by allowing users to access pages they should not be able to view.

Additionally, it may allow unauthorized users to publish content they do not have permission to manage, potentially leading to misinformation or exposure of confidential information.

The vulnerability has a medium severity score (CVSS 6.5) with low attack complexity and requires only low privileges, making it a significant risk if exploited.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Wagtail CMS to one of the fixed versions: 7.0.7, 7.3.2, or 7.4.

These versions include patches that properly check permissions on the source page when copying, preventing unauthorized users from viewing or publishing restricted content.

Compliance Impact

This vulnerability allows users with limited access to copy and view restricted content they should not have access to. Such unauthorized access to sensitive or confidential information could lead to violations of data protection regulations like GDPR or HIPAA, which require strict access controls to protect personal and sensitive data.

By enabling unauthorized viewing and potential publishing of restricted content, the vulnerability undermines the principle of least privilege and proper permission enforcement, which are critical for compliance with these standards.

Detection Guidance

This vulnerability affects Wagtail CMS versions prior to 7.0.7, 7.3.2, and 7.4. To detect if your system is vulnerable, first verify the installed Wagtail version.

  • Check the Wagtail version by running: python -m wagtail --version or by inspecting your project's dependencies (e.g., pip show wagtail).
  • If the version is older than 7.0.7, 7.3.2, or 7.4, your system is vulnerable.

Since the vulnerability involves unauthorized copying of pages, monitoring logs for unusual page copy activities by users with limited permissions may help detect exploitation attempts.

No specific network or system commands are provided in the available resources to detect exploitation attempts directly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44200. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart