CVE-2026-54259 in Wagtail
Summary
by MITRE • 07/02/2026
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could see the filename and name and URLs of documents and images in those collections. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/02/2026
The vulnerability identified in Wagtail CMS versions prior to 7.0.8, 7.3.3, and 7.4.2 represents a critical access control flaw that undermines the security model of the content management system. This issue specifically affects the Documents and Images chooser functionality within the Wagtail admin interface, where the chosen endpoint fails to properly enforce permission boundaries for user access. The flaw stems from inadequate authorization checks during the retrieval of media assets, allowing authenticated administrators to inadvertently expose information about documents and images they should not have visibility into based on their assigned permissions.
The technical implementation of this vulnerability manifests in the chosen endpoint's response handling where it returns metadata including filenames, names, and URLs of media items without properly validating whether the requesting user possesses the necessary choose permissions for those specific assets. This misconfiguration creates a data leakage scenario where users with administrative access can enumerate and potentially infer information about media collections they should not be able to see. The flaw operates at the application logic level, specifically within the permission validation mechanisms that govern media asset access within Wagtail's content management framework.
From an operational impact perspective, this vulnerability compromises the principle of least privilege by allowing unauthorized information disclosure within the administrative interface. While the issue requires an existing admin account to exploit, it significantly weakens the security posture by enabling information gathering that could aid in more sophisticated attacks. The exposure of filenames and URLs provides attackers with valuable reconnaissance data that could be used for targeted attacks against specific media assets or to identify potential attack vectors within the content management system. This vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems.
The mitigation strategy involves upgrading to the patched versions 7.0.8, 7.3.3, and 7.4.2 where proper permission validation has been implemented for the chosen endpoint. Organizations should also conduct thorough access control reviews to ensure that administrative users have appropriate permissions aligned with their roles and responsibilities. Security teams should monitor for any unusual access patterns in the Wagtail admin interface that might indicate exploitation attempts. The fix demonstrates proper implementation of authorization checks, ensuring that only users with valid choose permissions can retrieve information about specific media assets, thereby maintaining the integrity of the content management system's permission model. This vulnerability highlights the importance of robust access control implementation and adherence to security best practices in web application development frameworks like Django-based systems.