CVE-2026-44201
Information Disclosure in Wagtail CMS
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wagtail | wagtail | to 7.0.7 (exc) |
| wagtail | wagtail | to 7.1 (exc) |
| wagtail | wagtail | to 7.3.1 (exc) |
| wagtail | wagtail | 7.3.2 |
| wagtail | wagtail | 7.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-280 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44201 is a vulnerability in Wagtail, an open source content management system built on Django. The issue occurs in versions prior to 7.0.7, 7.3.2, and 7.4, where the Documents and Images API incorrectly lists items in private collections.
This means that a user with access to the API could see the filenames and names of documents and images that are supposed to be private, leading to unauthorized exposure of sensitive information.
The vulnerability is due to improper handling of permissions (classified under CWE-280) and has been fixed in the mentioned patched versions.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information by exposing filenames and names of documents and images stored in private collections.
An attacker or unauthorized user with API access could gain insight into private content metadata, which might be used for further attacks or data leakage.
The CVSS score of 5.3 indicates a medium severity impact, primarily affecting confidentiality without impacting integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Documents and Images API in Wagtail incorrectly listing items in private collections, allowing users with API access to see filenames and names of documents and images that should be private.
To detect this vulnerability on your system, you can attempt to access the Documents and Images API endpoints without proper authentication and check if private collection items are listed.
For example, you can use curl commands to query the API and observe the response:
- curl -X GET https://your-wagtail-site/api/v2beta/documents/ -v
- curl -X GET https://your-wagtail-site/api/v2beta/images/ -v
If these commands return filenames or names of documents and images from private collections without requiring authentication, your system is likely vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Wagtail to one of the fixed versions: 7.0.7, 7.3.2, or 7.4.
Additionally, site owners can add authentication to the Documents and Images APIs to prevent unauthorized access to private collections.