Vulnerability-Lookup

GHSA-67RV-MG8Q-5PF3

Vulnerability from github – Published: 2026-05-08 20:23 – Updated: 2026-05-13 13:53

Summary

Wagtail has improper permission handling when copying pages

Details

Impact

A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once copied, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Wagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Visit Wagtail's support channels
Send an email to security@wagtail.org (view the security policy for more information).

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1"
            },
            {
              "fixed": "7.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T20:23:11Z",
    "nvd_published_at": "2026-05-11T16:17:35Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA CMS user with limited access to pages could copy a page they don\u0027t have access to to an area of the site they do. Once copied, they\u0027d be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page.\n\n### Patches\n\nPatched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.\n\n### Workarounds\n\nNo workaround is available.\n\n\n### Acknowledgements\n\nWagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue.\n\n### For more information\nIf there are any questions or comments about this advisory:\n\n* Visit Wagtail\u0027s [support channels](https://docs.wagtail.org/en/stable/support.html)\n* Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).",
  "id": "GHSA-67rv-mg8q-5pf3",
  "modified": "2026-05-13T13:53:07Z",
  "published": "2026-05-08T20:23:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44200"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wagtail/wagtail"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Wagtail has improper permission handling when copying pages"
}

CVE-2026-44200 (GCVE-0-2026-44200)

Vulnerability from cvelistv5 – Published: 2026-05-11 14:41 – Updated: 2026-05-11 19:07

Title

Wagtail: Improper permission handling when copying pages

Summary

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-280 - Improper Handling of Insufficient Permissions or Privileges

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/wagtail/wagtail/security/advis…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
wagtail	wagtail	Affected: < 7.0.7 Affected: >= 7.1, < 7.3.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44200",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T18:54:04.086666Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T19:07:11.475Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wagtail",
          "vendor": "wagtail",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.0.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.1, \u003c 7.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don\u0027t have access to to an area of the site they do. Once coped, they\u0027d be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-280",
              "description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T14:41:41.807Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3"
        }
      ],
      "source": {
        "advisory": "GHSA-67rv-mg8q-5pf3",
        "discovery": "UNKNOWN"
      },
      "title": "Wagtail: Improper permission handling when copying pages"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44200",
    "datePublished": "2026-05-11T14:41:41.807Z",
    "dateReserved": "2026-05-05T15:13:47.570Z",
    "dateUpdated": "2026-05-11T19:07:11.475Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

PYSEC-2026-149

Vulnerability from pysec - Published: 2026-05-11 16:17 - Updated: 2026-05-20 09:19

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Impacted products

Name	purl
wagtail	pkg:pypi/wagtail

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail",
        "purl": "pkg:pypi/wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.7"
            },
            {
              "introduced": "7.1"
            },
            {
              "fixed": "7.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "0.2",
        "0.3",
        "0.3.1",
        "0.4",
        "0.4.1",
        "0.5",
        "0.6",
        "0.7",
        "0.8",
        "0.8.1",
        "0.8.10",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.8.6",
        "0.8.7",
        "0.8.8",
        "0.8.9",
        "1.0",
        "1.0b1",
        "1.0b2",
        "1.0rc1",
        "1.0rc2",
        "1.1",
        "1.10",
        "1.10.1",
        "1.10rc1",
        "1.11",
        "1.11.1",
        "1.11rc1",
        "1.12",
        "1.12.1",
        "1.12.2",
        "1.12.3",
        "1.12.4",
        "1.12.5",
        "1.12.6",
        "1.12rc1",
        "1.13",
        "1.13.1",
        "1.13.2",
        "1.13.3",
        "1.13.4",
        "1.13rc1",
        "1.1rc1",
        "1.2",
        "1.2rc1",
        "1.3",
        "1.3.1",
        "1.3rc1",
        "1.4",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4rc1",
        "1.5",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.5rc1",
        "1.6",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6rc1",
        "1.7",
        "1.7rc1",
        "1.8",
        "1.8.1",
        "1.8.2",
        "1.8rc1",
        "1.9",
        "1.9.1",
        "1.9rc1",
        "2.0",
        "2.0.1",
        "2.0.2",
        "2.0b1",
        "2.0rc1",
        "2.1",
        "2.1.1",
        "2.1.2",
        "2.1.3",
        "2.10",
        "2.10.1",
        "2.10.2",
        "2.10rc1",
        "2.10rc2",
        "2.11",
        "2.11.1",
        "2.11.2",
        "2.11.3",
        "2.11.4",
        "2.11.5",
        "2.11.6",
        "2.11.7",
        "2.11.8",
        "2.11.9",
        "2.11rc1",
        "2.12",
        "2.12.1",
        "2.12.2",
        "2.12.3",
        "2.12.4",
        "2.12.5",
        "2.12.6",
        "2.12rc1",
        "2.13",
        "2.13.1",
        "2.13.2",
        "2.13.3",
        "2.13.4",
        "2.13.5",
        "2.13rc1",
        "2.13rc2",
        "2.13rc3",
        "2.14",
        "2.14.1",
        "2.14.2",
        "2.14rc1",
        "2.15",
        "2.15.1",
        "2.15.2",
        "2.15.3",
        "2.15.4",
        "2.15.5",
        "2.15.6",
        "2.15rc1",
        "2.15rc2",
        "2.16",
        "2.16.1",
        "2.16.2",
        "2.16.3",
        "2.16rc1",
        "2.16rc2",
        "2.1rc1",
        "2.1rc2",
        "2.2",
        "2.2.1",
        "2.2.2",
        "2.2rc1",
        "2.2rc2",
        "2.3",
        "2.3rc1",
        "2.3rc2",
        "2.4",
        "2.4rc1",
        "2.5",
        "2.5.1",
        "2.5.2",
        "2.5rc1",
        "2.6",
        "2.6.1",
        "2.6.2",
        "2.6.3",
        "2.6rc1",
        "2.7",
        "2.7.1",
        "2.7.2",
        "2.7.3",
        "2.7.4",
        "2.7rc1",
        "2.7rc2",
        "2.8",
        "2.8.1",
        "2.8.2",
        "2.8rc1",
        "2.9",
        "2.9.1",
        "2.9.2",
        "2.9.3",
        "2.9rc1",
        "3.0",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0rc1",
        "3.0rc2",
        "3.0rc3",
        "4.0",
        "4.0.1",
        "4.0.2",
        "4.0.3",
        "4.0.4",
        "4.0rc1",
        "4.0rc2",
        "4.1",
        "4.1.1",
        "4.1.2",
        "4.1.3",
        "4.1.4",
        "4.1.5",
        "4.1.6",
        "4.1.7",
        "4.1.8",
        "4.1.9",
        "4.1rc1",
        "4.2",
        "4.2.1",
        "4.2.2",
        "4.2.3",
        "4.2.4",
        "4.2rc1",
        "5.0",
        "5.0.1",
        "5.0.2",
        "5.0.3",
        "5.0.4",
        "5.0.5",
        "5.0rc1",
        "5.1",
        "5.1.1",
        "5.1.2",
        "5.1.3",
        "5.1rc1",
        "5.2",
        "5.2.1",
        "5.2.2",
        "5.2.3",
        "5.2.4",
        "5.2.5",
        "5.2.6",
        "5.2.7",
        "5.2.8",
        "5.2rc1",
        "6.0",
        "6.0.1",
        "6.0.2",
        "6.0.3",
        "6.0.4",
        "6.0.5",
        "6.0.6",
        "6.0rc1",
        "6.1",
        "6.1.1",
        "6.1.2",
        "6.1.3",
        "6.1rc1",
        "6.1rc2",
        "6.2",
        "6.2.1",
        "6.2.2",
        "6.2.3",
        "6.2.4",
        "6.2rc1",
        "6.3",
        "6.3.1",
        "6.3.2",
        "6.3.3",
        "6.3.4",
        "6.3.5",
        "6.3.6",
        "6.3.7",
        "6.3.8",
        "6.3rc1",
        "6.3rc2",
        "6.4",
        "6.4.1",
        "6.4.2",
        "6.4rc1",
        "7.0",
        "7.0.1",
        "7.0.2",
        "7.0.3",
        "7.0.4",
        "7.0.5",
        "7.0.6",
        "7.0rc1",
        "7.1",
        "7.1.1",
        "7.1.2",
        "7.1.3",
        "7.2",
        "7.2.1",
        "7.2.2",
        "7.2.3",
        "7.2rc1",
        "7.3",
        "7.3.1",
        "7.3rc1"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44200",
    "GHSA-67rv-mg8q-5pf3"
  ],
  "details": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don\u0027t have access to to an area of the site they do. Once coped, they\u0027d be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.",
  "id": "PYSEC-2026-149",
  "modified": "2026-05-20T09:19:23.155861Z",
  "published": "2026-05-11T16:17:35.713Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-67RV-MG8Q-5PF3

Impact

Patches

Workarounds

Acknowledgements

For more information

CVE-2026-44200 (GCVE-0-2026-44200)

PYSEC-2026-149

Tags

Sightings

Nomenclature