leaked all users names from a user without known permissions in wagtail/wagtail


Reported on

Oct 15th 2023


- From any user account without authority go to /admin/users page to view employee information but can leak all employee names that 
  exist on the platform.
  • The vulnerabilities occurred in the 3 features : delete, set active state, assign role in page /admin/users and /admin/groups/{group_number}/users/

Proof of Concept

   - Step 1 : From the admin account, go to /admin/users or /admin/groups/{group_number}/users/

   - Step 2 :  Choose any account and use 1 of 3 features: delete, set active state, assign role, you will be navigated to a path like this:
           + /admin/bulk/auth/user/delete/?next=%2Fadmin%2Fusers%2F&id=5 (with delete feature)
           + /admin/bulk/auth/user/assign_role/?next=%2Fadmin%2Fusers%2F&id=2 (with assign_role feature)
           +  /admin/bulk/auth/user/set_active_state/?next=%2Fadmin%2Fusers%2F&id=3 (with set_active_state feature)
            * Note : You need to change the value of parameter id to see other user information.
                           With more than 1 &id parameter you can view more user names at the same time (eg : /admin/bulk/auth/user/delete/? 
                           next=%2Fadmin%2Fusers%2F&id=5&id=6&id=4 The condition is that all 3 ids exist)

   - Step 3 : Use any account with the permissions I described in the description, then access the link and change the value of the id 
                    parameter, you can get the names of all users.
             * Note : To make it easiest, first test with an account without any permissions. Then give that account more permissions and check 


  • Leak all names of users is an extremely dangerous step for attackers to carry out other forms of attacks such as :
    • Brute force login attack
    • Spear Phishing
    • Gathering more information
    • Personalized Attacks
    • and other types of dangerous attacks
We are processing your report and will contact the wagtail team within 24 hours. 2 months ago
Hackerga2101 modified the report
2 months ago
Hackerga2101 modified the report
2 months ago
We have contacted a member of the wagtail team and are waiting to hear back 2 months ago
wagtail/wagtail maintainer has acknowledged this report 2 months ago
wagtail/wagtail maintainer
2 months ago


Great work @quyenheu 👌 Could you kindly propose/submit a fix for this vulnerability? Any thoughts on how best to protect access to this page?

Due to the severity, it's unlikely it'll warrant a security release on its own, but it'll be included in the next patch release. With that said, we should still treat this as a security vulnerability.

wagtail/wagtail maintainer
2 months ago


We'd like to get this into the 5.1.3 release, which we're planning to release on Thursday alongside 5.2rc1. Any help you can provide before then would be great, else we can work on the patch internally.

Matt Westcott modified the Severity from Medium (5.9) to Low (3.3) 2 months ago
2 months ago


thank you but I don't have any fix for this vulnerability

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Matt Westcott validated this vulnerability 2 months ago

Many thanks for the report! This has now been addressed in Wagtail releases 4.1.9, 5.0.5 and 5.1.3 and published as a security advisory: https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h https://docs.wagtail.org/en/stable/releases/5.1.3.html

Hackerga2101 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Matt Westcott marked this as fixed in 5.1.3 with commit 8ec428 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Matt Westcott published this vulnerability 2 months ago
to join this conversation