Wagtail: Improper restriction handling on Documents and Images API

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Basic Information

ID CVE-2026-44201

Source GitHub_M

Published May 11, 2026 at 14:42

Affected Product

Vendor wagtail

Product wagtail

Version < 7.0.7

Affected Versions wagtail wagtail < 7.0.7
wagtail wagtail >= 7.1, < 7.3.2

CWE Classification

CWE-280

References

github.com /wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6

{
    "lastseen": "",
    "description": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.",
    "published": "2026-05-11T14:42:22.055Z",
    "modified": "2026-05-11T14:42:22.055Z",
    "type": "cve",
    "title": "Wagtail: Improper restriction handling on Documents and Images API",
    "source": "GitHub_M",
    "references": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6",
    "id": "CVE-2026-44201",
    "bulletinFamily": "",
    "cwe": [
        "CWE-280"
    ],
    "cvelist": null,
    "sourceData": "wagtail wagtail < 7.0.7\nwagtail wagtail >= 7.1, < 7.3.2",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "wagtail",
    "version": "< 7.0.7",
    "vendor": "wagtail",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Wagtail: Improper restriction handling on Documents and Images API_CVE-2026-44201