CVE-2026-44199: Wagtail has improper permission handling when deleting form submissions

May 8, 2026

A CMS user with limited access to form pages could delete submissions to form pages they don’t have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don’t.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

References

github.com/advisories/GHSA-pwm3-7fv4-g6xx
github.com/wagtail/wagtail
github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx
nvd.nist.gov/vuln/detail/CVE-2026-44199

Code Behaviors & Features

Detect and mitigate CVE-2026-44199 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →