CVE-2026-54259
Received Received - Intake

Information Disclosure in Wagtail CMS

Vulnerability report for CVE-2026-54259, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could see the filename and name and URLs of documents and images in those collections. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
wagtail wagtail to 7.0.8 (exc)
wagtail wagtail to 7.3.3 (exc)
wagtail wagtail to 7.4.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-280 The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Wagtail, an open source content management system built on Django. In certain versions prior to 7.0.8, 7.3.3, and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly displayed items to users who did not have permission to choose those items. Specifically, a user with access to the Wagtail admin interface could see filenames, names, and URLs of documents and images in collections they were not authorized to access.

The vulnerability does not affect ordinary site visitors without admin access, meaning only users with some level of admin access could exploit this information disclosure.

This issue was fixed in versions 7.0.8, 7.3.3, and 7.4.2 of Wagtail.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of filenames, names, and URLs of documents and images within Wagtail collections. This means that users with some admin access could view information they are not permitted to see, potentially exposing sensitive or confidential content.

However, the vulnerability does not allow modification or deletion of content, nor does it affect ordinary site visitors without admin access.

The impact is primarily information disclosure, which could lead to privacy concerns or leakage of sensitive data if the documents or images contain confidential information.

Mitigation Strategies

To mitigate this vulnerability, upgrade Wagtail to version 7.0.8, 7.3.3, or 7.4.2 or later, as these versions contain the fix for the issue.

Ensure that only trusted users have access to the Wagtail admin interface, since the vulnerability requires admin access to be exploitable.

Compliance Impact

This vulnerability allows a user with access to the Wagtail admin to see filenames, names, and URLs of documents and images for which they do not have choose permission. This could potentially lead to unauthorized disclosure of information.

Since the vulnerability exposes information to users without proper permission, it may impact compliance with data protection regulations such as GDPR or HIPAA, which require strict access controls and protection of sensitive information.

However, the vulnerability is not exploitable by ordinary site visitors without admin access, which limits the scope of exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54259. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart