Main Vulnerability Database SB20260505112

SB20260505112 - Missing Authorization in wagtail

Published: May 5, 2026

Security Bulletin ID SB20260505112

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Missing Authorization (CVE-ID: CVE-2026-25517)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in admin preview endpoints when handling crafted preview form submissions. A remote privileged user can submit a specially crafted form to obtain a preview rendering of page, snippet, or site setting objects and disclose sensitive information.

The issue is limited to users with access to the Wagtail admin, and the existing data of the targeted object itself is not exposed.

Remediation

Install update from vendor's website.

References

https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348