CVE-2026-44197 Overview
CVE-2026-44197 is an information disclosure vulnerability in Wagtail, an open source content management system (CMS) built on Django. The flaw affects Wagtail versions prior to 7.0.7, 7.3.2, and 7.4. A CMS user lacking edit permissions on a page can still access page revisions through the revision compare view if they know the primary keys of two revisions. The vulnerability is classified under CWE-280: Improper Handling of Insufficient Permissions or Privileges and can result in disclosure of sensitive page content to unauthorized authenticated users.
Critical Impact
Authenticated CMS users without page edit rights can read historical page revisions, exposing draft content, internal notes, or sensitive data intended for restricted audiences.
Affected Products
- Torchbox Wagtail versions prior to 7.0.7
- Torchbox Wagtail versions prior to 7.3.2 (7.3.x branch)
- Torchbox Wagtail versions prior to 7.4
Discovery Timeline
- 2026-05-11 - CVE-2026-44197 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-44197
Vulnerability Analysis
Wagtail maintains revision history for pages through its versioning system. The revision compare view allows authorized editors to view differences between two stored revisions of a page. The view accepts two primary key parameters that identify the revisions to compare.
The vulnerability stems from incomplete authorization enforcement on this comparison endpoint. The view verifies that a user is authenticated to the CMS but does not validate that the user holds edit permissions on the underlying page. Any authenticated CMS user who guesses or enumerates revision primary keys can retrieve revision contents that should be restricted.
This exposes draft content, unpublished changes, editorial comments, and any other field data captured in the revision snapshot. The impact is confidentiality only — integrity and availability are not affected.
Root Cause
The root cause is a missing permission check in the revision compare view. The handler validates session authentication but omits the page-level permission check required to view revisions. This aligns with [CWE-280], where the application fails to handle missing privileges correctly and defaults to permitting access.
Attack Vector
Exploitation requires network access to the Wagtail admin interface and valid CMS credentials with any role. The attacker iterates or guesses two integer revision primary keys and submits them to the compare view URL. Sequential integer identifiers make enumeration straightforward. No user interaction beyond the attacker's authenticated request is required.
No verified public exploit code is available. The vulnerability mechanism is described in the Wagtail GitHub Security Advisory GHSA-c6wj-9vcj-75pj.
Detection Methods for CVE-2026-44197
Indicators of Compromise
- Repeated HTTP GET requests to revision compare endpoints under the Wagtail admin path from low-privilege user sessions.
- Sequential or enumerative access patterns against revision primary key parameters in admin URLs.
- CMS users without page edit rights generating traffic to revision-related views in access logs.
Detection Strategies
- Review Django and web server access logs for requests to the revision compare view originating from accounts that do not have editor or moderator roles on the referenced pages.
- Correlate Wagtail user role assignments with HTTP request paths to identify permission-versus-activity mismatches.
- Alert on high-volume access to revision endpoints from a single session, which suggests enumeration of revision IDs.
Monitoring Recommendations
- Forward Wagtail and Django application logs to a centralized log platform for retention and query.
- Establish a baseline of normal revision-view activity per user role and alert on deviations.
- Audit CMS user accounts quarterly and remove dormant or over-provisioned accounts that could be abused.
How to Mitigate CVE-2026-44197
Immediate Actions Required
- Upgrade Wagtail to version 7.0.7, 7.3.2, or 7.4 depending on the deployed release branch.
- Audit existing CMS user accounts and revoke access for users who do not require CMS login.
- Review revision history for pages containing sensitive content and rotate or redact any data that may have been exposed.
Patch Information
Torchbox released fixed versions 7.0.7, 7.3.2, and 7.4 of Wagtail that enforce the correct page-level permission check on the revision compare view. Refer to the Wagtail GitHub Security Advisory GHSA-c6wj-9vcj-75pj for the patch commit and release notes.
Workarounds
- Restrict access to the Wagtail admin interface to trusted network ranges using a reverse proxy or VPN until the patch is applied.
- Reduce the number of low-privilege CMS accounts to limit the population of users able to exploit the flaw.
- Avoid storing highly sensitive data in page revisions on unpatched installations.
# Upgrade Wagtail using pip to a patched release
pip install --upgrade "wagtail>=7.4"
# Or for the 7.3.x branch
pip install --upgrade "wagtail>=7.3.2,<7.4"
# Or for the 7.0.x branch
pip install --upgrade "wagtail>=7.0.7,<7.1"
# Verify the installed version
python -c "import wagtail; print(wagtail.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
