GHSA-67rv-mg8q-5pf3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-67rv-mg8q-5pf3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-67rv-mg8q-5pf3/GHSA-67rv-mg8q-5pf3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-67rv-mg8q-5pf3
- Aliases
-
- CVE-2026-44200
- Published
- 2026-05-08T20:23:11Z
- Modified
- 2026-05-08T20:31:16.065711Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Wagtail has improper permission handling when copying pages
- Details
-
Impact
A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once copied, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page.
Patches
Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.
Workarounds
No workaround is available.
Acknowledgements
Wagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue.
For more information
If there are any questions or comments about this advisory:
- Visit Wagtail's support channels
- Send an email to security@wagtail.org (view the security policy for more information).
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-08T20:23:11Z", "cwe_ids": [ "CWE-280" ], "severity": "MODERATE", "nvd_published_at": null }- References
Affected packages
PyPI / wagtail
Package
- Name
- wagtail
- View open source insights on deps.dev
- Purl
- pkg:pypi/wagtail
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.0.7
Affected versions
0.*
0.1
0.2
0.3
0.3.1
0.4
0.4.1
0.5
0.6
0.7
0.8
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
1.*
1.0b1
1.0b2
1.0rc1
1.0rc2
1.0
1.1rc1
1.1
1.2rc1
1.2
1.3rc1
1.3
1.3.1
1.4rc1
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.5rc1
1.5
1.5.1
1.5.2
1.5.3
1.6rc1
1.6
1.6.1
1.6.2
1.6.3
1.7rc1
1.7
1.8rc1
1.8
1.8.1
1.8.2
1.9rc1
1.9
1.9.1
1.10rc1
1.10
1.10.1
1.11rc1
1.11
1.11.1
1.12rc1
1.12
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.12.6
1.13rc1
1.13
1.13.1
1.13.2
1.13.3
1.13.4
2.*
2.0b1
2.0rc1
2.0
2.0.1
2.0.2
2.1rc1
2.1rc2
2.1
2.1.1
2.1.2
2.1.3
2.2rc1
2.2rc2
2.2
2.2.1
2.2.2
2.3rc1
2.3rc2
2.3
2.4rc1
2.4
2.5rc1
2.5
2.5.1
2.5.2
2.6rc1
2.6
2.6.1
2.6.2
2.6.3
2.7rc1
2.7rc2
2.7
2.7.1
2.7.2
2.7.3
2.7.4
2.8rc1
2.8
2.8.1
2.8.2
2.9rc1
2.9
2.9.1
2.9.2
2.9.3
2.10rc1
2.10rc2
2.10
2.10.1
2.10.2
2.11rc1
2.11
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.7
2.11.8
2.11.9
2.12rc1
2.12
2.12.1
2.12.2
2.12.3
2.12.4
2.12.5
2.12.6
2.13rc1
2.13rc2
2.13rc3
2.13
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.14rc1
2.14
2.14.1
2.14.2
2.15rc1
2.15rc2
2.15
2.15.1
2.15.2
2.15.3
2.15.4
2.15.5
2.15.6
2.16rc1
2.16rc2
2.16
2.16.1
2.16.2
2.16.3
3.*
3.0rc1
3.0rc2
3.0rc3
3.0
3.0.1
3.0.2
3.0.3
4.*
4.0rc1
4.0rc2
4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1rc1
4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.2rc1
4.2
4.2.1
4.2.2
4.2.3
4.2.4
5.*
5.0rc1
5.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.1rc1
5.1
5.1.1
5.1.2
5.1.3
5.2rc1
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
6.*
6.0rc1
6.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.1rc1
6.1rc2
6.1
6.1.1
6.1.2
6.1.3
6.2rc1
6.2
6.2.1
6.2.2
6.2.3
6.2.4
6.3rc1
6.3rc2
6.3
6.3.1
6.3.2
6.3.3
6.3.4
6.3.5
6.3.6
6.3.7
6.3.8
6.4rc1
6.4
6.4.1
6.4.2
7.*
7.0rc1
7.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.0.6
PyPI / wagtail
Package
- Name
- wagtail
- View open source insights on deps.dev
- Purl
- pkg:pypi/wagtail