High severity8.8NVD Advisory· Published May 4, 2026· Updated May 5, 2026

CVE-2026-29514

Description

NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user.

Affected products

Netbox Community/Netboxreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

chocapikk.com/posts/2026/netbox-export-template-rce/nvd
github.com/netbox-community/netbox/issues/22079nvd
github.com/netbox-community/netbox/pull/22078nvd
www.vulncheck.com/advisories/netbox-rce-via-rendertemplatemixinnvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000