Permission Check Flaw in Wagtail Content Management System
CVE-2026-54261

6.5MEDIUM

Key Information:

Vendor

Wagtail

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-54261?

A security oversight in the Wagtail content management system allows users with admin access to preview any image within the system without proper permissions. While this does not expose the underlying data of the image object itself, it poses a risk of unauthorized access to image previews for users who should not have viewing rights. This issue has been resolved in the latest versions of Wagtail, specifically 7.0.8, 7.3.3, and 7.4.2, which implement necessary permission checks at the image preview endpoint to safeguard against this vulnerability.

Affected Version(s)

wagtail < 7.0.8 < 7.0.8

wagtail >= 7.1.0, < 7.3.3 < 7.1.0, 7.3.3

wagtail >= 7.4.0, < 7.4.2 < 7.4.0, 7.4.2

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.