MEDIUM 5.3 PyPI
Wagtail has improper restriction handling on Documents and Images API
GHSA-p5gm-92h4-6pv6 · CVE-2026-44201 · PYSEC-2026-150
Published · Modified
Description
Impact
The Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections.
Patches
Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.
Workarounds
Site owners using Wagtail's API can avoid the vulnerability by adding authentication to the Documents and Images APIs.
Acknowledgements
Wagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue.
For more information
If there are any questions or comments about this advisory:
- Visit Wagtail's support channels
- Send an email to security@wagtail.org (view the security policy for more information).
Ready to move
Start Securing
Free, no credit card | First findings in minutes