CVE-2026-44200

MEDIUM6.5EPSS 0.03%

Wagtail has improper permission handling when copying pages

Published: 5/8/2026Modified: 5/20/2026

Also known as:GHSA-67rv-mg8q-5pf3PYSEC-2026-149

Description

### Impact A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once copied, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. ### Patches Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix. ### Workarounds No workaround is available. ### Acknowledgements Wagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue. ### For more information If there are any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html) * Send an email to [[email protected]](mailto:[email protected]) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).

Affected packages (2)

PyPI/wagtailfrom 0, < 7.0.7
PyPI/wagtailfrom 0, < 7.0.7, >= 7.1, < 7.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Affected packages (2)

CVSS scores

References (3)