Missing Authorization in Nautobot - CVE-2026-44794
Published: May 11, 2026
Vulnerability identifier: #VU130974
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-44794
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Nautobot
Nautobot
Software vendor:
Nautobot
Nautobot
Description
The vulnerability allows a remote user to reference objects that they should not be able to reference via the REST API.
The vulnerability exists due to missing authorization in GenericForeignKey reference handling in the REST API when creating or updating an object containing a GenericForeignKey. A remote user can submit a crafted API request referencing an object UUID they cannot view to reference objects that they should not be able to reference via the REST API.
Exploitation requires knowledge of the UUID of a target object that is not otherwise accessible to the user.
Remediation
Install security update from vendor's website.