Intel

AIKIDO-2026-931250

wagtail is vulnerable to Improper Access Control

Improper Access ControlCVE-2026-54261 Published 3 days ago

65

Medium Risk

This Affects:

PYTHONwagtail
0.0.1 - 7.0.7
Fixed in 7.0.8
7.1.0 - 7.3.2
Fixed in 7.3.3
7.4.0 - 7.4.1
Fixed in 7.4.2
Are you affected? Scan for Free

TL;DR

The image preview endpoint is missing a permission check on the target image. A user with access to the Wagtail admin can preview any image regardless of the permissions on it. The underlying image object data is not exposed, but the rendered preview is. The fix enforces a per-image change permission check before rendering the preview.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and grant users access to the Wagtail admin.

Background info

wagtail is vulnerable to Improper Access Control in versions 0.0.1 - 7.0.7, 7.1.0 - 7.3.2 and 7.4.0 - 7.4.1.

How to fix this

Upgrade the wagtail library to the patch version.