Wagtail 7.3.2 release notes

May 5, 2026

---
local:
depth: 1
---

What's new

CVE-2026-44197: Improper permission handling when comparing revisions

A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information.

Many thanks to Seoyoung Kang from AhnLab for reporting this issue. For further details, please see security advisory GHSA-c6wj-9vcj-75pj.

CVE-2026-44198: Improper permission handling when viewing page history

A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information.

Many thanks to Seoyoung Kang from AhnLab for reporting this issue. For further details, please see security advisory GHSA-c4mr-889m-vgf6.

CVE-2026-44199: Improper permission handling when deleting form submissions

A CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Many thanks to Vishal Shukla for reporting this issue. For further details, please see security advisory GHSA-pwm3-7fv4-g6xx.

CVE-2026-44200: Improper permission handling when copying pages

A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page.

Many thanks to Sanjok Karki for reporting this issue. For further details, please see security advisory GHSA-67rv-mg8q-5pf3.

CVE-2026-44201: Improper restriction handling on Documents and Images API

The Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections.

Many thanks to Sanjok Karki for reporting this issue. For further details, please see security advisory GHSA-p5gm-92h4-6pv6.

Grouping of audit log entries for autosave

When a page is autosaved, the audit log entries created throughout the editing session are now grouped together as a single entry in the page's history view. This makes the page's history view more manageable to navigate when a large number of edits have been made via autosave. The site history report still shows granular entries for each autosave, to allow for more detailed analysis of editing activity across the site.

Bug fixes

• Use protocol-relative URLs in the userbar for compatibility with environments where Django does not detect the protocol (Sage Abdullah)
• Index the contents of image descriptions as well as titles, for CMS search (Advik Sharma)
• Avoid creating a new editing session when updating UI elements after an autosave (Sage Abdullah)
• Retain page explorer header buttons when searching or filtering (Sage Abdullah)
• Correctly escape the sizes attribute in responsive image template tags (Jake Howard)
• Add accessible label to userbar aside element for accessibility (Kalash Kumari Thakur)
• Pause SessionController pings during autosave to prevent conflict notification with own session (Sage Abdullah)
• Ensure live preview does not get stuck when edits occur during an in-progress update (Aniket Singh)
• Ensure only one autosave request can happen at a time to prevent incorrect conflict notifications with the current session (Sage Abdullah)
• Prevent incorrect concurrent editing conflict notifications when doing a manual save (Sage Abdullah)

Upgrade considerations

Addition of composite indexes to PageLogEntry and ModelLogEntry tables

This release includes a migration to add composite indexes to the wagtailcore_pagelogentry and wagtailcore_modellogentry tables on the fields uuid, action, and -timestamp. Running this migration may take a few minutes on large sites with millions of existing log entries. If you have already created these indexes manually on your database, you should skip this migration by passing the option --fake to the migrate management command, for example: python manage.py migrate --fake wagtailcore 0097.

If you have custom audit log models in your project, you should also run python manage.py makemigrations to generate a migration that adds the same composite indexes to your custom log entry models, and then apply that migration.