CVE-2026-44200
Received Received - Intake
Unauthorized Page Copy in Wagtail CMS

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-11
AI Q&A
2026-05-11
EPSS Evaluated
N/A
NVD
CVE-2026-44200
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wagtail wagtail to 7.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-280 The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Wagtail CMS versions prior to 7.0.7, 7.3.2, and 7.4. It allows a user with limited access to certain pages to copy a page they do not have permission to access into an area of the site where they do have access.

The core issue is that permission checks were only performed on the destination location of the copied page, but not on the source page itself. This means unauthorized users could copy restricted content to accessible areas.

Once copied, the user could view the contents of the restricted page and potentially publish it, bypassing intended access controls.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive or restricted content by allowing users to access pages they should not be able to view.

Additionally, it may allow unauthorized users to publish content they do not have permission to manage, potentially leading to misinformation or exposure of confidential information.

The vulnerability has a medium severity score (CVSS 6.5) with low attack complexity and requires only low privileges, making it a significant risk if exploited.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Wagtail CMS to one of the fixed versions: 7.0.7, 7.3.2, or 7.4.

These versions include patches that properly check permissions on the source page when copying, preventing unauthorized users from viewing or publishing restricted content.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart