Listen to this Post
The Wagtail CMS provides a public REST API (v2) with endpoints for documents and images. During normal operation, the API applies collection privacy rules; items in private collections should remain inaccessible to unauthenticated API users. Due to a missing permission filter in the queryset builder for the `/api/v2/documents/` and `/api/v2/images/` endpoints, the API did not enforce collection privacy. An attacker with any level of API access (including unauthenticated access if the API is public) could issue a simple GET request to these endpoints. The response would list all document/image s and filenames, regardless of their privacy status. The vulnerability originates in the viewset’s `get_queryset` method, which omitted the `collection` permission lookup. This allowed the ORM to return records from private collections. The issue affects all Wagtail versions prior to 7.0.7 (for the 7.0.x branch) and prior to 7.3.2 (for the 7.1/7.2/7.3.x branches). Wagtail 7.4 LTS also includes the fix. The flaw is classified under CWE‑280 (Improper Handling of Insufficient Permissions or Privileges). No authentication bypass is required; the attacker only needs network access to the API.
Platform: Wagtail Version: <7.0.7,<7.3.2 Vulnerability: Improper restriction handling Severity: Medium date: 2026-05-05 Prediction: Expected patch 2026-05-08
Analytics under heading What Undercode Say:
Check installed Wagtail version
python -c "import wagtail; print(wagtail.<strong>version</strong>)"
Test for private collection exposure via API
curl -s "http://target/api/v2/documents/" | jq '.items[] | {id, , collection_id}'
Simple Python detection script
import requests
r = requests.get("http://target/api/v2/documents/")
for item in r.json().get("items", []):
if item.get("collection_id") != 1: 1 = root public collection
print(f"Private item exposed: {item['']}")
Exploit:
Send unauthenticated GET requests to `/api/v2/documents/` and /api/v2/images/. If any document/image from a private collection appears in the response, the system is vulnerable.
Protection from this CVE
- Upgrade to Wagtail ≥7.0.7, ≥7.3.2, or 7.4 LTS.
- If upgrade is impossible, enable authentication on the Documents and Images APIs (e.g., token‑based auth).
- Restrict network access to the API endpoints using a WAF or firewall rules.
Impact:
Unauthorized disclosure of document/image names and filenames from private collections. No file content is leaked, but metadata can reveal sensitive information.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
