MEDIUM 4.3 PyPI
Wagtail has improper permission handling when viewing page history
GHSA-c4mr-889m-vgf6 · CVE-2026-44198 · PYSEC-2026-147
Published · Modified
Description
Impact
A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information.
Patches
Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.
Workarounds
No workaround is available.
Acknowledgements
Wagtail thanks Seoyoung Kang @seoyoung-kang who is from AhnLab and also an independent security researcher for reporting this issue.
For more information
If there are any questions or comments about this advisory:
- Visit Wagtail's support channels
- Send an email to security@wagtail.org (view the security policy for more information).
Ready to move
Start Securing
Free, no credit card | First findings in minutes