{"id":"GHSA-c4mr-889m-vgf6","summary":"Wagtail has improper permission handling when viewing page history","details":"### Impact\n\nA CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information.\n\n### Patches\nPatched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.\n\n### Workarounds\n\nNo workaround is available.\n\n### Acknowledgements\n\nWagtail thanks Seoyoung Kang @seoyoung-kang who is from AhnLab and also an independent security researcher for reporting this issue.\n\n### For more information\nIf there are any questions or comments about this advisory:\n\n* Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html)\n* Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).","aliases":["CVE-2026-44198"],"modified":"2026-05-08T20:32:27.041904Z","published":"2026-05-08T20:19:08Z","database_specific":{"cwe_ids":["CWE-280"],"github_reviewed":true,"github_reviewed_at":"2026-05-08T20:19:08Z","nvd_published_at":null,"severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6"},{"type":"PACKAGE","url":"https://github.com/wagtail/wagtail"}],"affected":[{"package":{"name":"wagtail","ecosystem":"PyPI","purl":"pkg:pypi/wagtail"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.7"}]}],"versions":["0.1","0.2","0.3","0.3.1","0.4","0.4.1","0.5","0.6","0.7","0.8","0.8.1","0.8.10","0.8.2","0.8.3","0.8.4","0.8.5","0.8.6","0.8.7","0.8.8","0.8.9","1.0","1.0b1","1.0b2","1.0rc1","1.0rc2","1.1","1.10","1.10.1","1.10rc1","1.11","1.11.1","1.11rc1","1.12","1.12.1","1.12.2","1.12.3","1.12.4","1.12.5","1.12.6","1.12rc1","1.13","1.13.1","1.13.2","1.13.3","1.13.4","1.13rc1","1.1rc1","1.2","1.2rc1","1.3","1.3.1","1.3rc1","1.4","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4rc1","1.5","1.5.1","1.5.2","1.5.3","1.5rc1","1.6","1.6.1","1.6.2","1.6.3","1.6rc1","1.7","1.7rc1","1.8","1.8.1","1.8.2","1.8rc1","1.9","1.9.1","1.9rc1","2.0","2.0.1","2.0.2","2.0b1","2.0rc1","2.1","2.1.1","2.1.2","2.1.3","2.10","2.10.1","2.10.2","2.10rc1","2.10rc2","2.11","2.11.1","2.11.2","2.11.3","2.11.4","2.11.5","2.11.6","2.11.7","2.11.8","2.11.9","2.11rc1","2.12","2.12.1","2.12.2","2.12.3","2.12.4","2.12.5","2.12.6","2.12rc1","2.13","2.13.1","2.13.2","2.13.3","2.13.4","2.13.5","2.13rc1","2.13rc2","2.13rc3","2.14","2.14.1","2.14.2","2.14rc1","2.15","2.15.1","2.15.2","2.15.3","2.15.4","2.15.5","2.15.6","2.15rc1","2.15rc2","2.16","2.16.1","2.16.2","2.16.3","2.16rc1","2.16rc2","2.1rc1","2.1rc2","2.2","2.2.1","2.2.2","2.2rc1","2.2rc2","2.3","2.3rc1","2.3rc2","2.4","2.4rc1","2.5","2.5.1","2.5.2","2.5rc1","2.6","2.6.1","2.6.2","2.6.3","2.6rc1","2.7","2.7.1","2.7.2","2.7.3","2.7.4","2.7rc1","2.7rc2","2.8","2.8.1","2.8.2","2.8rc1","2.9","2.9.1","2.9.2","2.9.3","2.9rc1","3.0","3.0.1","3.0.2","3.0.3","3.0rc1","3.0rc2","3.0rc3","4.0","4.0.1","4.0.2","4.0.3","4.0.4","4.0rc1","4.0rc2","4.1","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.1.9","4.1rc1","4.2","4.2.1","4.2.2","4.2.3","4.2.4","4.2rc1","5.0","5.0.1","5.0.2","5.0.3","5.0.4","5.0.5","5.0rc1","5.1","5.1.1","5.1.2","5.1.3","5.1rc1","5.2","5.2.1","5.2.2","5.2.3","5.2.4","5.2.5","5.2.6","5.2.7","5.2.8","5.2rc1","6.0","6.0.1","6.0.2","6.0.3","6.0.4","6.0.5","6.0.6","6.0rc1","6.1","6.1.1","6.1.2","6.1.3","6.1rc1","6.1rc2","6.2","6.2.1","6.2.2","6.2.3","6.2.4","6.2rc1","6.3","6.3.1","6.3.2","6.3.3","6.3.4","6.3.5","6.3.6","6.3.7","6.3.8","6.3rc1","6.3rc2","6.4","6.4.1","6.4.2","6.4rc1","7.0","7.0.1","7.0.2","7.0.3","7.0.4","7.0.5","7.0.6","7.0rc1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c4mr-889m-vgf6/GHSA-c4mr-889m-vgf6.json"}},{"package":{"name":"wagtail","ecosystem":"PyPI","purl":"pkg:pypi/wagtail"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.1"},{"fixed":"7.3.2"}]}],"versions":["7.1","7.1.1","7.1.2","7.1.3","7.2","7.2.1","7.2.2","7.2.3","7.2rc1","7.3","7.3.1","7.3rc1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c4mr-889m-vgf6/GHSA-c4mr-889m-vgf6.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}