CVE-2026-44201
Received Received - Intake
Information Disclosure in Wagtail CMS

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-44201
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
wagtail wagtail to 7.0.7 (exc)
wagtail wagtail to 7.1 (exc)
wagtail wagtail to 7.3.1 (exc)
wagtail wagtail 7.3.2
wagtail wagtail 7.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-280 The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized users with API access to view filenames and names of documents and images in private collections, potentially exposing sensitive information.

Such unauthorized exposure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Mitigating this risk by applying authentication to the Documents and Images APIs and updating to patched versions helps maintain compliance with these standards.

Executive Summary

CVE-2026-44201 is a vulnerability in Wagtail, an open source content management system built on Django. The issue occurs in versions prior to 7.0.7, 7.3.2, and 7.4, where the Documents and Images API incorrectly lists items in private collections.

This means that a user with access to the API could see the filenames and names of documents and images that are supposed to be private, leading to unauthorized exposure of sensitive information.

The vulnerability is due to improper handling of permissions (classified under CWE-280) and has been fixed in the mentioned patched versions.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information by exposing filenames and names of documents and images stored in private collections.

An attacker or unauthorized user with API access could gain insight into private content metadata, which might be used for further attacks or data leakage.

The CVSS score of 5.3 indicates a medium severity impact, primarily affecting confidentiality without impacting integrity or availability.

Detection Guidance

This vulnerability involves the Documents and Images API in Wagtail incorrectly listing items in private collections, allowing users with API access to see filenames and names of documents and images that should be private.

To detect this vulnerability on your system, you can attempt to access the Documents and Images API endpoints without proper authentication and check if private collection items are listed.

For example, you can use curl commands to query the API and observe the response:

  • curl -X GET https://your-wagtail-site/api/v2beta/documents/ -v
  • curl -X GET https://your-wagtail-site/api/v2beta/images/ -v

If these commands return filenames or names of documents and images from private collections without requiring authentication, your system is likely vulnerable.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Wagtail to one of the fixed versions: 7.0.7, 7.3.2, or 7.4.

Additionally, site owners can add authentication to the Documents and Images APIs to prevent unauthorized access to private collections.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart