Intel

AIKIDO-2026-189685

wagtail is vulnerable to Improper Access Control

Improper Access ControlCVE-2026-54259 Published 3 days ago

43

Medium Risk

This Affects:

PYTHONwagtail
0.0.1 - 7.0.7
Fixed in 7.0.8
7.1.0 - 7.3.2
Fixed in 7.3.3
7.4.0 - 7.4.1
Fixed in 7.4.2
Are you affected? Scan for Free

TL;DR

The Documents and Images chooser chosen endpoint does not enforce collection choose permissions. A user with access to the Wagtail admin can view the filename, title, and URLs of documents and images in collections they were not granted access to. This exposes metadata about restricted media to unauthorized admin users. The fix adds instance-level permission checks to the chosen endpoints.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and grant users access to the Wagtail admin.

Background info

wagtail is vulnerable to Improper Access Control in versions 0.0.1 - 7.0.7, 7.1.0 - 7.3.2 and 7.4.0 - 7.4.1.

How to fix this

Upgrade the wagtail library to the patch version.