CVE-2026-25517
📋 TL;DR
This CVE describes a missing authorization vulnerability in Wagtail CMS preview endpoints. Authenticated Wagtail admin users can craft form submissions to preview any page, snippet, or site setting object with arbitrary data, potentially exposing database contents that should only be accessible to users with edit permissions. The vulnerability requires admin access and cannot be exploited by ordinary site visitors.
💻 Affected Systems
- Wagtail CMS
📦 What is this software?
Wagtail by Torchbox
Wagtail by Torchbox
Wagtail by Torchbox
Wagtail by Torchbox
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious admin could use crafted previews to extract sensitive database information through template rendering, potentially exposing confidential data or system details.
Likely Case
Privilege escalation where users with limited admin access can preview content they shouldn't have permission to view, potentially exposing sensitive data through template context.
If Mitigated
Limited impact if proper access controls and template sanitization are already in place, though unauthorized preview access remains possible.
🎯 Exploit Status
Exploitation requires knowledge of model fields and crafting specific form submissions. No public exploit code identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.6, 7.0.4, 7.1.3, 7.2.2, or 7.3
Vendor Advisory: https://github.com/wagtail/wagtail/security/advisories
Restart Required: Yes
Instructions:
1. Identify your Wagtail version. 2. Upgrade to the patched version matching your major release: 6.x → 6.3.6, 7.0.x → 7.0.4, 7.1.x → 7.1.3, 7.2.x → 7.2.2, or 7.3. 3. Restart your Django application server. 4. Verify the fix by testing preview functionality.
🔧 Temporary Workarounds
Disable preview endpoints
allTemporarily disable Wagtail preview functionality until patching is possible
Modify Django settings to remove preview URL patterns or override preview views
Restrict admin access
allLimit Wagtail admin access to only essential personnel
Review and tighten Django authentication and authorization configurations
🧯 If You Can't Patch
- Implement strict access controls to limit Wagtail admin access to trusted users only
- Audit and sanitize all templates to prevent data leakage even if preview is exploited
🔍 How to Verify
Check if Vulnerable:
Check Wagtail version via Python: python -c "import wagtail; print(wagtail.__version__)" and compare to affected versionsCheck Version:
python -c "import wagtail; print(wagtail.__version__)"Verify Fix Applied:
After patching, test preview functionality with a non-editor user account to ensure proper permission checks📡 Detection & Monitoring
Log Indicators:
- Unusual preview requests from admin users, especially for objects they shouldn't access
- Multiple failed permission checks on preview endpoints
Network Indicators:
- HTTP POST requests to /admin/preview/ endpoints with crafted form data
SIEM Query:
source="wagtail_logs" AND (url_path="/admin/preview/" OR event="preview") AND user_permissions!="edit"🔗 References
- https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719
- https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f
- https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190
- https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915
- https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03
- https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348
