Main Vulnerability Database Vulnerabilities #VU130968

Information disclosure in Nautobot - CVE-2025-49143

Published: May 11, 2026

Vulnerability identifier: #VU130968

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-49143

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Nautobot

Software vendor:
Nautobot

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the media file URL endpoint when serving uploaded files from the MEDIA_ROOT directory. A remote attacker can request a known or guessed file URL to disclose sensitive information.

For successful exploitation, the attacker must know or correctly guess the target file name or URL.

Remediation

Install security update from vendor's website.

External links

https://github.com/nautobot/nautobot/security/advisories/GHSA-rh67-4c8j-hjjh
https://github.com/nautobot/nautobot/commit/9c892dc300429948a4714f743c9c2879d8987340

Information disclosure in Nautobot - CVE-2025-49143

Description

Remediation

External links

Please verify you're human