SB2026051168 - Multiple vulnerabilities in Nautobot
Published: May 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Modification of assumed-immutable data (CVE-ID: CVE-2026-44798)
The vulnerability allows a remote user to modify repository state and cause a denial of service.
The vulnerability exists due to modification of assumed-immutable data in the GitRepository.current_head field through the REST API when handling add or change requests for GitRepository records. A remote user can set the current_head field to a nonexistent commit hash or malformed value to modify repository state and cause a denial of service.
The issue can cause local clones of the repository to check out a commit other than the latest commit on the configured branch, resulting in misleading state.
2) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
The vulnerability allows a remote user to perform server-side requests to unintended hosts and IP addresses.
The vulnerability exists due to server-side request forgery in the Webhook data model and associated feature set when processing user-defined webhook destinations. A remote user can configure a webhook to send requests to disallowed destinations to perform server-side requests to unintended hosts and IP addresses.
Exploitation requires add or change permissions for the Webhook data model.
3) Inefficient regular expression complexity (CVE-ID: CVE-2026-44796)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to inefficient regular expression complexity in object bulk rename UI endpoints when processing a crafted regular expression in the find field with the use_regex flag enabled. A remote user can send a specially crafted request to cause a denial of service.
The issue can result in application-wide impact.
4) Missing Authorization (CVE-ID: CVE-2026-44794)
The vulnerability allows a remote user to reference objects that they should not be able to reference via the REST API.
The vulnerability exists due to missing authorization in GenericForeignKey reference handling in the REST API when creating or updating an object containing a GenericForeignKey. A remote user can submit a crafted API request referencing an object UUID they cannot view to reference objects that they should not be able to reference via the REST API.
Exploitation requires knowledge of the UUID of a target object that is not otherwise accessible to the user.
Remediation
Install update from vendor's website.
References
- https://github.com/nautobot/nautobot/security/advisories/GHSA-p3hx-pwf3-j8wr
- https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609
- https://github.com/nautobot/nautobot/security/advisories/GHSA-c35q-vxrp-ph26
- https://github.com/nautobot/nautobot/commit/16aa4aa9796ab7a31c4d615ec945e1f16d8c77c4
- https://github.com/nautobot/nautobot/security/advisories/GHSA-qrpw-gjvh-x5gm
- https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee
- https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x
- https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1