Permission Check Flaw in Wagtail Content Management System
CVE-2026-54261
6.5MEDIUM
What is CVE-2026-54261?
A security oversight in the Wagtail content management system allows users with admin access to preview any image within the system without proper permissions. While this does not expose the underlying data of the image object itself, it poses a risk of unauthorized access to image previews for users who should not have viewing rights. This issue has been resolved in the latest versions of Wagtail, specifically 7.0.8, 7.3.3, and 7.4.2, which implement necessary permission checks at the image preview endpoint to safeguard against this vulnerability.
Affected Version(s)
wagtail < 7.0.8 < 7.0.8
wagtail >= 7.1.0, < 7.3.3 < 7.1.0, 7.3.3
wagtail >= 7.4.0, < 7.4.2 < 7.4.0, 7.4.2
