CVE-2026-54262
Received Received - Intake

Permission Bypass in Wagtail CMS via Translation Submission

Vulnerability report for CVE-2026-54262, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the "Can submit translation" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
wagtail wagtail to 7.0.8 (exc)
wagtail wagtail to 7.3.3 (exc)
wagtail wagtail to 7.4.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-280 The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Wagtail content management system in versions prior to 7.0.8, 7.3.3, and 7.4.2. It allows a low-level user who has the "Can submit translation" permission to create translations for any page, even those pages for which they do not have explicit permissions.

Impact Analysis

The vulnerability can lead to unauthorized creation of translations on pages that a user should not have access to. This could result in unauthorized content modifications or additions, potentially leading to misinformation, content integrity issues, or exposure of sensitive information through translated content.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Wagtail to one of the fixed versions: 7.0.8, 7.3.3, or 7.4.2.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54262. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart