Main Vulnerability Database Vulnerabilities #VU134573

Improper Handling of Insufficient Permissions or Privileges in wagtail - CVE-2026-54259

Published: June 16, 2026

Vulnerability identifier: #VU134573

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-54259

CWE-ID: CWE-280

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Torchbox

Affected software:
wagtail

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of insufficient permissions or privileges in the Documents and Images chooser chosen endpoint when handling requests for selected items. A remote user can request chosen items they are not permitted to choose to disclose sensitive information.

The issue is only exploitable by a user with access to the Wagtail admin.

How to mitigate CVE-2026-54259

Install security update from vendor's website.

Sources

https://github.com/wagtail/wagtail/security/advisories/GHSA-h54r-xq46-qwqm

Improper Handling of Insufficient Permissions or Privileges in wagtail - CVE-2026-54259

Detailed vulnerability description

How to mitigate CVE-2026-54259

Sources

Please verify you're human