Independent security audit: findings and next steps
Wagtail's first independent security audit
Earlier this year, France's Interministerial Digital Directorate (DINUM) commissioned an independent security audit of Wagtail as part of their work hardening the open-source software the French public sector relies on. They use Wagtail for their Sites Conformes distribution across 60+ French central government websites.
We're publishing a summary of the audit findings so the wider community can benefit from the work. We see security as a key feature of Wagtail, and those audits make us all more confident in the software we’re building together.
What was reviewed
The audit examined the Wagtail 7.2.1 source tree and its dependency graph, with a focus on application code (authentication, access control, file uploads, logging) and third-party Python and JavaScript dependencies. It did not cover infrastructure or deployment configuration, which are project-level concerns. The findings are broadly relevant for all Wagtail sites.
The auditing was based on a combination of manual and automated checks, against guidelines such as OWASP Top 10 but going beyond the basics.
What the audit found
The audit identified one confirmed vulnerability, CVE-2026-25517, which was independently reported and already patched in Wagtail. It also identified five opportunities for security hardening:
- Dependency management: management of vulnerabilities in development-only dependencies, and an opportunity to strengthen supply chain monitoring beyond our current use of Dependabot.
- File upload validation: document uploads could benefit from additional server-side checks on file contents, size, and naming.
- Audit logging: opportunities to log a broader range of security-relevant events, particularly around authentication.
- Security HTTP headers: recommendations to configure additional security headers beyond Wagtail's Django-provided defaults.
- Brute-force protection: the admin login flow does not currently include rate limiting or account lockout as a core feature, instead encouraging use of external packages.
How we’re responding
Many of those possible improvements fall into areas where we deliberately delegate choices to site implementers. For example for authentication strategy or logging depth. The best answer depends on each project's threat model and infrastructure, so it’s important project teams take ownership of those topics (with our guidance).
The upcoming Wagtail 7.4 release will ship with 8 improvements, with a primary focus on documentation guidance. We have a further 6 improvements planned, to be discussed with our security contributors. The Wagtail security team will continue to review and prioritize these as part of our ongoing security maintenance. You can track (and join!) the discussion on GitHub: audit report highlights.
Thank you ❤️
We're grateful to the Sites Conformes team at DINUM for commissioning this audit and sharing the results, and to the audit team for their thorough work. Independent reviews like this makes the whole ecosystem stronger, and we hope the findings are useful for Wagtail projects everywhere.
We welcome any questions or feedback on the audit findings! We will be discussing them at our upcoming What’s New in Wagtail webinar in two weeks.