Vendor
Nautobot
Products
2
CVEs
5
Across products
5
Status
Private
Products
2- 4 CVEs
- 1 CVE
Recent CVEs
5| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44798 | hig | 0.38 | — | — | May 13, 2026 | ### Impact A user with access to add/change a GitRepository record could use the REST API to directly set the `current_head` field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified `branch` (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the `current_head` pointing to a nonexistent commit hash or malformed value. ### Patches The issue has been remediated in Nautobot v2.4.33 and 3.1.2. ### Workarounds Note that many of the same end-result symptoms could be caused by a user with the same level of access simply changing the `branch` or `remote_url` of a GitRepository rather than crafting the `current_head`. Administrators are encouraged to carefully review which users are granted permissions to create and modify GitRepository records. ### References - 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609">patch</a>) - 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3">patch</a>) | |
| CVE-2026-44797 | hig | 0.38 | — | — | May 13, 2026 | ### Impact Nautobot's `Webhook` data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF). ### Patches Fixes are available in Nautobot v2.4.33 and v3.1.2. In support of this fix, three new settings variables have been added to Nautobot: - `WEBHOOK_ALLOWED_SCHEMES` - By default new or updated `Webhook` records will be restricted to HTTP or HTTPS only, disallowing other schemes that may have been previously allowed. Administrators should audit existing `Webhook` records to identify any that are invalid, and either update/delete said records or customize `WEBHOOK_ALLOWED_SCHEMES` as appropriate. - `WEBHOOK_ADDITIONAL_BLOCKED_NETWORKS` - This can be used to specify additional IP networks that should be denied to `Webhook` sending, for example some deployments may wish to disallow RFC1918 addresses or even disallow all networks and carve out specific exemptions using the following setting. - `WEBHOOK_ALLOWED_HOSTS` - This can be used to provide an allow-list of specific hosts that would otherwise be blocked by any `WEBHOOK_ADDITIONAL_BLOCKED_NETWORKS` configuration. ### Workarounds Administrators should review which users have been granted `add` or `change` permissions for the `Webhook` data model, and should review currently defined `Webhook` records for safety and validity. Other than that, no specific workaround has been identified. ### References - 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/16aa4aa9796ab7a31c4d615ec945e1f16d8c77c4">patch</a>) - 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/7324c8f0d8c7245fbc691e15d729adc2d2707d08">patch</a>) | |
| CVE-2025-62607 | Med | 0.27 | 5.3 | 0.00 | Oct 22, 2025 | Nautobot Single Source of Truth (SSoT) is an app for Nautobot. Prior to version 3.10.0, an unauthenticated attacker could access this page to view the Service Now public instance name e.g. companyname.service-now.com. This is considered low-value information. This does not expose the Secret, the Secret Name, or the Secret Value for the Username/Password for Service-Now.com. An unauthenticated member would not be able to change the instance name, nor set a Secret. There is not a way to gain access to other pages Nautobot through the unauthenticated Configuration page. This issue has been patched in version 3.10.0. | |
| CVE-2026-44796 | 0.00 | — | — | May 13, 2026 | ### Impact Nautobot UI object-bulk-rename endpoints (for example, `/dcim/interfaces/rename/`) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the `find` field in combination with the `use_regex` flag. ### Patches A general-purpose timeout has been added to these endpoints in Nautobot v2.4.33 and v3.1.2, which ensures that the request will fail early with an appropriate message if regular expression evaluation takes more than a short period of time, instead of continuing to execute for an indefinite duration. ### Workarounds No known workaround has been identified at this time. ### References - 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee">patch</a>) - 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd">patch</a>) | ||
| CVE-2026-44794 | 0.00 | — | — | May 13, 2026 | ### Impact In the case of inter-object references via `GenericForeignKey` (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a `GenericForeignKey`, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. As a concrete example, a user: - who has permission to create or update `ImageAttachment` records - but who lacks permission to view (some or all) `Device` records - _but who knows (via some other mechanism) the UUID of a specific `Device` that they do not otherwise have access to_ could create via the REST API an `ImageAttachment` linked to that specific `Device`. Other models that use `GenericForeignKey` and may be writable via the REST API, and hence have a similar vulnerability to `ImageAttachment`, may include: - `ApprovalWorkflow` - `Cable` - `ConfigContext` - `ContactAssociation` - `DataCompliance` - `Device` - `ExportTemplate` - `GraphQLQuery` - `Note` - `ObjectMetadata` - `RelationshipAssociation` - `StaticGroupAssociation` - `VirtualMachine` Additionally, any Nautobot Apps that provide models with a REST API and use GenericForeignKey may have a similar vulnerability for their models. ### Patches A general-purpose fix has been implemented in Nautobot 2.4.33 and 3.1.2, which ensures correct application of "view" permissions when creating or modifying object references via `GenericForeignKey` throughout the REST API. Individual models/views/serializers generally will not require any specific code changes to benefit from this fix. ### Workarounds No known workarounds at this time. ### References - 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1">patch</a>) - 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b">patch</a>) |