CVE-2026-44199 Overview
CVE-2026-44199 is an improper authorization vulnerability [CWE-280] in Wagtail, an open source content management system built on Django. The flaw allows an authenticated Wagtail admin user with limited permissions to delete form submissions belonging to form pages they do not have access to. An attacker crafts a deletion request targeting a page they do have access to while referencing submissions from a restricted page. The vulnerability requires Wagtail admin access and is not exploitable by anonymous site visitors. Maintainer Torchbox addressed the issue in Wagtail versions 7.0.7, 7.3.2, and 7.4.
Critical Impact
A low-privileged Wagtail admin user can delete form submission data from pages outside their authorized scope, resulting in loss of integrity for collected form data.
Affected Products
- Torchbox Wagtail versions prior to 7.0.7
- Torchbox Wagtail versions prior to 7.3.2 in the 7.3.x branch
- Torchbox Wagtail versions prior to 7.4
Discovery Timeline
- 2026-05-11 - CVE-2026-44199 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-44199
Vulnerability Analysis
The vulnerability resides in the form submission deletion workflow within the Wagtail admin interface. Wagtail allows site administrators to delegate access to form pages on a per-page basis. The deletion handler validates that the requesting user has permission to manage a form page referenced in the request, but it does not verify that the individual submission identifiers belong to that page. An attacker with access to any form page can submit a deletion request that references the accessible page while supplying submission IDs from form pages they do not control. The server then deletes those submissions, violating the page-level access boundary enforced by Wagtail's permission model.
Root Cause
The root cause is improper authorization handling on a specific resource [CWE-280]. The view enforces the permission check at the parent form page level but fails to re-validate that each targeted submission belongs to the authorized page before executing the delete operation. This represents a missing object-level authorization control on child resources.
Attack Vector
Exploitation occurs over the network through the authenticated Wagtail admin interface. The attacker must hold a valid Wagtail admin account with permission to manage at least one form page. The attacker crafts a POST request to the form submission deletion endpoint, supplying a page identifier they control and submission identifiers from a restricted page. Refer to the Wagtail GitHub Security Advisory GHSA-pwm3-7fv4-g6xx for further technical context.
Detection Methods for CVE-2026-44199
Indicators of Compromise
- Unexpected disappearance of form submission records from Wagtail form pages without a corresponding administrative audit entry
- HTTP POST requests to Wagtail admin form submission deletion endpoints where the referenced submission IDs do not belong to the page ID supplied in the request body
- Form submission deletion actions performed by users whose group permissions do not include the affected form page
Detection Strategies
- Review Wagtail admin audit logs for wagtail.delete or form submission deletion events and correlate the acting user against the page-level permissions assigned to that user
- Enable Django request logging on admin URLs matching the form submission deletion path and alert on requests where the authenticated user lacks page permissions for the targeted submissions
- Compare current form submission counts against backup snapshots to identify unauthorized deletions retroactively
Monitoring Recommendations
- Forward Wagtail admin and Django application logs to a centralized logging platform with retention sufficient to investigate historical deletion events
- Alert on high volumes of form submission deletions performed by a single user account within a short time window
- Track changes to user group memberships and form page permission assignments to detect privilege manipulation that may precede exploitation
How to Mitigate CVE-2026-44199
Immediate Actions Required
- Upgrade Wagtail to version 7.0.7, 7.3.2, or 7.4 depending on the deployed release branch
- Audit the list of users with any Wagtail admin access and remove accounts that no longer require form page management
- Review form submission data for unexplained deletions and restore from backups if integrity loss is identified
Patch Information
Torchbox released fixes in Wagtail 7.0.7, 7.3.2, and 7.4. Installations on the 7.0.x branch should upgrade to 7.0.7, installations on the 7.3.x branch should upgrade to 7.3.2, and installations tracking the latest release should move to 7.4. See the Wagtail GitHub Security Advisory GHSA-pwm3-7fv4-g6xx for full patch details.
Workarounds
- Restrict Wagtail admin access to trusted users only until patching is complete, reducing the population of accounts capable of exploiting the flaw
- Temporarily revoke form page permissions from non-essential admin users to minimize the attack surface
- Increase the frequency of database backups covering the form submissions table to enable rapid recovery from unauthorized deletions
# Upgrade Wagtail to a patched release using pip
pip install --upgrade "wagtail>=7.4"
# Or pin to the patched version for the 7.0.x branch
pip install "wagtail==7.0.7"
# Or pin to the patched version for the 7.3.x branch
pip install "wagtail==7.3.2"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
