Main Vulnerability Database Vulnerabilities #VU134575

Improper Handling of Insufficient Permissions or Privileges in wagtail - CVE-2026-54261

Published: June 16, 2026

Vulnerability identifier: #VU134575

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-54261

CWE-ID: CWE-280

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Torchbox

Affected software:
wagtail

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of insufficient permissions or privileges in the image preview endpoint when handling image preview requests. A remote user can request a preview of any image to disclose sensitive information.

The issue is limited to users with access to the Wagtail admin, and the existing data of the image object itself is not exposed.

How to mitigate CVE-2026-54261

Install security update from vendor's website.

Sources

https://github.com/wagtail/wagtail/security/advisories/GHSA-r6p4-grq7-xm4m

Improper Handling of Insufficient Permissions or Privileges in wagtail - CVE-2026-54261

Detailed vulnerability description

How to mitigate CVE-2026-54261

Sources

Please verify you're human