CVE-2026-44200 Overview
CVE-2026-44200 is a broken access control vulnerability in Wagtail, an open source content management system (CMS) built on Django. The flaw affects versions prior to 7.0.7, 7.3.2, and 7.4. A CMS user with limited page access can copy a page they do not have permission to view into an area of the site they do control. After the copy, the user can read the page contents and potentially publish them. Wagtail correctly validated permissions on the copy destination but failed to validate permissions on the source page. The issue is tracked under [CWE-280: Improper Handling of Insufficient Permissions or Privileges].
Critical Impact
Authenticated low-privileged CMS users can read and republish restricted page content by abusing the page copy function, breaking content confidentiality boundaries.
Affected Products
- Torchbox Wagtail versions prior to 7.0.7
- Torchbox Wagtail versions prior to 7.3.2
- Torchbox Wagtail versions prior to 7.4
Discovery Timeline
- 2026-05-11 - CVE-2026-44200 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-44200
Vulnerability Analysis
The vulnerability resides in the page copy workflow of the Wagtail admin interface. Wagtail uses a hierarchical permission model where each page can have distinct view, edit, and publish permissions assigned to user groups. When a CMS user invokes the copy action, the application must validate that the requesting user has permission to read the source page and permission to add pages under the destination parent.
The affected versions only enforced the second check. Permission validation on the destination parent was correctly applied, ensuring users could not copy content into restricted sections. However, the source page was never checked against the requesting user's read permissions. A user with limited access could therefore reference any source page by identifier and clone it into a section they control.
After cloning, the copied page lives within the attacker's permitted area and inherits permissions from the new parent. The user can read the duplicated content directly and, if their group holds publish rights in the destination, push the content live. This breaks confidentiality boundaries for draft pages, scheduled releases, and private content trees.
Root Cause
The root cause is a missing authorization check on the source object in the page copy handler. The code path validated write permissions on the target location but omitted the corresponding read check on the page being copied. This pattern matches [CWE-280], where insufficient privilege handling permits access to resources outside the user's authorization scope.
Attack Vector
Exploitation requires an authenticated CMS account with low privileges and access to at least one writable section. The attacker submits a copy request referencing a source page identifier outside their permitted tree. The Wagtail backend processes the copy without verifying source access. The attacker then browses the destination tree to view the cloned content. No user interaction beyond the attacker's own session is required. Refer to the Wagtail GHSA-67rv-mg8q-5pf3 advisory for vendor technical details.
Detection Methods for CVE-2026-44200
Indicators of Compromise
- Wagtail admin audit log entries showing wagtail.copy actions where the acting user lacks historical edit activity on the source page tree.
- Unexpected duplicate pages appearing under low-privilege user sections with titles or slugs matching restricted or draft content.
- Page revisions created by accounts that previously had no interaction with the source content branch.
Detection Strategies
- Review the Wagtail PageLogEntry table for wagtail.copy actions and cross-reference the acting user against the source page's group permissions.
- Query the Django ORM for pages where the creating user does not have read permission on the original source path identified in the copy event.
- Enable verbose admin logging and forward Wagtail application logs to a central SIEM for correlation with user session activity.
Monitoring Recommendations
- Alert on any copy operations targeting destinations outside the source page's permission group.
- Monitor for sudden spikes in page creation by accounts with restricted role assignments.
- Track publish actions on newly copied pages within short time windows after creation, which indicates rapid content exfiltration attempts.
How to Mitigate CVE-2026-44200
Immediate Actions Required
- Upgrade Wagtail to version 7.0.7, 7.3.2, or 7.4 depending on your current release line.
- Audit existing pages and revision histories for unauthorized copies created prior to patching.
- Review CMS user group memberships and remove unnecessary copy or add permissions on sensitive page trees.
Patch Information
Torchbox released fixes in Wagtail 7.0.7, 7.3.2, and 7.4. The patches add source-page permission validation to the copy handler. Full remediation details are available in the Wagtail Security Advisory GHSA-67rv-mg8q-5pf3.
Workarounds
- Restrict the add permission on writable page trees to trusted editors only until the patch is applied.
- Temporarily disable the copy action for low-privilege groups through custom admin permission policies.
- Increase audit log review frequency to identify abuse of the copy workflow before upgrade completion.
# Upgrade Wagtail using pip to a fixed version
pip install --upgrade "wagtail>=7.4"
# Or for the 7.3.x line
pip install --upgrade "wagtail>=7.3.2,<7.4"
# Or for the 7.0.x line
pip install --upgrade "wagtail>=7.0.7,<7.1"
# Verify installed version
python -c "import wagtail; print(wagtail.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
