Wagtail, Improper Permission Handling, CVE-2026-44200 (Moderate)

By /

Listen to this Post

How CVE-2026-44200 Works

The vulnerability stems from a logic flaw in Wagtail’s page copy routine. When a user with limited permissions copies a page, the system performs a permission check on the destination (to ensure the user can create pages there) but completely omits the check on the source page. This means:
– A user who only has “add” permission inside a specific subtree can open the copy dialog, enter the primary key of a page they are not allowed to see, and copy it into their allowed area.
– The copy action uses Wagtail’s existing copy view (/admin/pages/ with a `copy` action) which validates the destination via `page.permissions_for_user(user).can_add_subpage()` but never calls `page.permissions_for_user(user).can_view()` on the source.
– Once the copy arrives in the user’s subtree, the user gains full read access to all copied content, including any unpublished fields, revision history, comments, and internal settings attached to the source page model.
– If the user also holds “publish” rights in the destination, they can immediately make the copied content public, exposing sensitive information that was originally restricted.
– The attack does not require any special HTTP POST manipulation beyond a standard copy request with a chosen source page ID.
– The issue affects all versions of Wagtail prior to 7.0.7 (the first patched release) and versions 7.1 through 7.3.1 (fixed in 7.3.2). The newly released 7.4 LTS also incorporates the fix.
– The vulnerability is assigned CWE-280 (Improper Handling of Insufficient Permissions) and carries a CVSS 3.1 base score of 4.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.
– Successful exploitation enables a low‑privileged CMS user to view the contents of any page in the system, regardless of its original privacy settings, simply by copying that page to a location they control.
– Because the copy operation does not alter the original page, the breach leaves no trace in the source page’s audit log, making detection difficult.
– No publicly available workaround exists; only upgrading to a fixed version eliminates the risk.

dailycve form:

Platform: Wagtail CMS
Version: Below 7.0.7
Vulnerability: Permission Bypass Copy
Severity: Moderate
Date: 2026-05-08

Prediction: Patch 2026-05-08

Analytics under heading What Undercode Say:

Check installed Wagtail version (Python pip)
pip show wagtail | grep Version
Alternative version check inside Django shell
python manage.py shell -c "import wagtail; print(wagtail.<strong>version</strong>)"
Audit current user's page copy permissions (requires Django shell)
python manage.py shell -c "
from wagtail.models import Page
from django.contrib.auth.models import User
user = User.objects.get(username='limited_user')
for page in Page.objects.all():
if not page.permissions_for_user(user).can_view():
print(f'User cannot view: {page.} (ID {page.pk})')
"

Exploit:

  1. Identify a target page ID that the user cannot normally view (e.g., by enumerating page IDs or using the “Pages using X” view).
  2. Navigate to any page where the user has “add subpage” permission (the destination).
  3. Click “Copy this page” from the destination’s copy menu, but in the copy form, replace the source page ID with the protected target page ID.
  4. Submit the form; Wagtail will copy the protected page into the allowed subtree without ever checking the source page.
  5. The copied page now resides in a location the user can access, exposing all its content and revision history.

Protection from this CVE

  • Immediate upgrade to Wagtail 7.0.7, 7.3.2, or 7.4 LTS (or any later version).
  • If upgrade is impossible, restrict page copy permissions globally by overriding the copy view and adding a custom permission check on the source page.
  • Apply principle of least privilege: do not give “add subpage” permission to users who do not also need “view” permission on all pages they might copy.
  • Monitor logs for unusual copy operations (e.g., copies of pages from unexpected sections).

Impact

  • Confidentiality breach: A user with minimal rights can read any page’s full content, including private drafts, comments, and internal metadata.
  • Potential public exposure: If the user also has publish rights, they can make the copied sensitive page publicly visible.
  • No integrity or availability impact: The original content remains unchanged, and the vulnerability does not allow deletion or modification.
  • Detection difficulty: The attack leaves no visible trace in the source page’s history, making forensics challenging.

Sources

  • GitHub Advisory GHSA-67rv-mg8q-5pf3 / CVE-2026-44200
  • Wagtail issue 9270 describing the copy permission bypass

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top