CVE-2026-44198 Overview
CVE-2026-44198 is an information disclosure vulnerability in Wagtail, an open source content management system built on Django. The flaw allows a CMS user without page edit permissions to access the history report for that page. This access can expose sensitive information contained in prior page revisions and edit metadata.
The vulnerability is tracked under [CWE-280: Improper Handling of Insufficient Permissions or Privileges]. Torchbox addressed the issue in Wagtail versions 7.0.7, 7.3.2, and 7.4. The vulnerability requires low-privileged authenticated access over the network and impacts confidentiality only.
Critical Impact
An authenticated CMS user lacking edit rights can retrieve the page history report, potentially disclosing sensitive revision data and editorial workflow information.
Affected Products
- Torchbox Wagtail versions prior to 7.0.7
- Torchbox Wagtail versions prior to 7.3.2
- Torchbox Wagtail versions prior to 7.4
Discovery Timeline
- 2026-05-11 - CVE-2026-44198 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-44198
Vulnerability Analysis
Wagtail provides per-page permissions that govern who can view, edit, or publish content. The history report view exposes page revision metadata, including timestamps, editing users, and change descriptions. Prior to the fixed releases, the permission check on the history report did not enforce the edit permission required to access this view.
As a result, a low-privileged authenticated user could request the history report for a page they were not authorized to edit. The response disclosed editorial activity for that page. The issue is restricted to information disclosure and does not allow modification of content or escalation of privileges.
Root Cause
The root cause is improper handling of insufficient permissions on the page history report endpoint. The view checked for general CMS authentication rather than verifying that the requesting user held edit rights on the specific page. This permission gap maps to [CWE-280].
Attack Vector
Exploitation requires an authenticated CMS account with any level of access to the Wagtail admin. The attacker navigates to the history report URL for a target page they cannot edit. The server returns the report, exposing revision metadata. No user interaction beyond the authenticated request is required, and the attack is performed over the network.
No verified public proof-of-concept code is available. Refer to the Wagtail GitHub Security Advisory GHSA-c4mr-889m-vgf6 for technical details.
Detection Methods for CVE-2026-44198
Indicators of Compromise
- Access log entries showing authenticated requests to Wagtail admin history report URLs (paths containing /admin/pages/*/history/) from accounts that lack edit permissions on the requested page.
- Repeated history report requests from a single user account targeting multiple pages outside their assigned workflow.
- Unexpected enumeration patterns against page IDs in admin history endpoints.
Detection Strategies
- Audit Wagtail admin access logs and correlate user IDs with their assigned page permissions to identify mismatches against history endpoint requests.
- Review Django request logs for HTTP 200 responses to history report paths from low-privileged users.
- Inspect the Wagtail audit log for unusual viewing patterns by editors or contributors who do not own the pages queried.
Monitoring Recommendations
- Forward Wagtail and Django application logs to a centralized logging platform for query and alerting.
- Create alerts for any user account that requests history reports across an unusually large set of page IDs in a short window.
- Track user-to-page permission mappings and flag deviations between assigned permissions and accessed admin views.
How to Mitigate CVE-2026-44198
Immediate Actions Required
- Upgrade Wagtail to version 7.0.7, 7.3.2, or 7.4 depending on the deployed release branch.
- Audit CMS user accounts and remove unnecessary admin access for users who do not require it.
- Review page-level permission assignments to ensure least privilege across editors, moderators, and contributors.
Patch Information
Torchbox released fixed versions 7.0.7, 7.3.2, and 7.4 of Wagtail. See the Wagtail GitHub Security Advisory GHSA-c4mr-889m-vgf6 for the official remediation details and upgrade guidance.
Workarounds
- If immediate upgrade is not possible, restrict access to the Wagtail admin interface using network-level controls such as IP allowlisting or VPN-only access.
- Reduce the number of accounts with any CMS admin access until patching is complete.
- Monitor history report endpoint access and revoke credentials of any account showing suspicious enumeration behavior.
# Upgrade Wagtail to a patched version using pip
pip install --upgrade "wagtail>=7.4"
# Or pin to the appropriate fixed release for your branch
pip install "wagtail==7.0.7"
pip install "wagtail==7.3.2"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
