Primary

Context

Wagtail Documents and Images API Improper Restriction Vulnerability

Vulnerability

Patched

A vulnerability exists in the Wagtail Documents and Images API in versions prior to 7.0.7, 7.1 through 7.3.1, and 7.4. This issue allows users with API access to view filenames and names of documents and images in private collections, which should not be accessible. The vulnerability arises from improper handling of access restrictions in the API.

Impact

Exploitation of this vulnerability allows unauthorized access to the names and filenames of documents and images in private collections via the Wagtail Documents and Images API.

Remediation

Users can upgrade to Wagtail versions 7.0.7, 7.3.2, or 7.4 to address this vulnerability. Additionally, site owners can add authentication to the Documents and Images APIs as a workaround.

Added: May 11, 2026, 4:33 PM

Updated: May 11, 2026, 4:33 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

8.3

remediation

8.3

relevance

8.0

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

8.3

remediation

8.3

relevance

8.0

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Wagtail Documents and Images API Improper Restriction Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Wagtail

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating