Listen to this Post
How the CVE Works
The vulnerability stems from a missing permission check in Wagtail’s page history view. In affected versions, a CMS user who does not have the ability to edit a specific page can still access its history report. This is due to the `can_view_revisions` method not being consistently enforced across all entry points to the page history. Specifically, while the “History” link might be hidden in the explorer menu, the direct URL to the history view remains accessible. The permission check is bypassed because the view only verifies that the user has some form of admin access, but not the specific “edit” permission required for that page. This oversight allows any authenticated admin user to view the complete revision history of any page, even those they are not authorized to modify. The history report may contain sensitive information like previous content, edit timestamps, and user activity. An attacker with limited privileges can thus enumerate page histories, leading to potential information disclosure. The issue is fixed in versions 7.0.7 and 7.3.2 by implementing a proper permission check before rendering the history view.
DailyCVE Form
Platform: Wagtail CMS
Version: < 7.0.7, < 7.3.2
Vulnerability: Info disclosure
Severity: Moderate
Date: 2026-05-08
Prediction: Patch: 2026-05-05
What Undercode Say
Analytics:
Check your Wagtail version python -c "import wagtail; print(wagtail.VERSION)" List all pages a user can see history for (exploitative) curl -X GET "https://your-wagtail-site/admin/pages/123/history/" \ -H "Cookie: sessionid=your_admin_session" Remediation: Upgrade to patched version pip install --upgrade wagtail==7.0.7 Or for the 7.3.x series: pip install --upgrade wagtail==7.3.2
Exploit
An attacker with only “view” or “edit” access to one page can craft a direct request to the history endpoint of any other page using its ID. For example, after discovering a page ID through enumeration, they can send a GET request to /admin/pages/<id>/history/. The server will return the full revision history because the permission check is missing. This can be automated to harvest data from all pages.
Protection from this CVE
1. Upgrade immediately to Wagtail 7.0.7 or 7.3.2.
- If upgrading is not possible, manually enforce permission checks by overriding the history view in your project’s URL configurations to call `page.permissions_for_user(user).can_view_revisions()` before rendering.
- Monitor admin logs for unexpected history access patterns.
- Restrict admin access to only trusted users as a defense-in-depth measure.
Impact
- Confidentiality: Unauthorized users can view page histories, potentially exposing sensitive data such as draft content, previous versions, and edit metadata.
- Integrity: No direct modification risk, but exposed information could aid further attacks.
- Availability: No direct impact.
- Risk Score: Moderate, as exploitation requires admin credentials but is trivial to execute.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
