Information disclosure in Nautobot - CVE-2023-50263
Published: December 12, 2023 / Updated: May 11, 2026
Nautobot
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the db-file-storage file access views when handling requests to /files/get/ and /files/download/. A remote attacker can send a request with a known file name to disclose sensitive information.
No URL mechanism is provided for listing or traversing available file names, so exploitation requires knowledge or guessing of a valid file name or path.