CVE-2026-44794
5.4 MEDIUMNautobot is a Network Source of Truth and Network Automation Platform
Published: 2026-05-28 · Last updated: 2026-05-29
Severity and scoring
- CVSS
- 5.4 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- CWE
- CWE-862
Affected products
| Vendor | Product |
|---|---|
| networktocode | nautobot |
Description
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44794
- [Patch]https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b
- [Patch]https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1
- [Other]https://github.com/nautobot/nautobot/releases/tag/v2.4.33
- [Other]https://github.com/nautobot/nautobot/releases/tag/v3.1.2
- [Patch]https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x
Related CVEs
Same vendor
- CVE-2026-44798 — Nautobot is a Network Source of Truth and Network Automation Platform (7.1 HIGH)
- CVE-2026-44797 — Nautobot is a Network Source of Truth and Network Automation Platform (8.5 HIGH)
- CVE-2026-44796 — Nautobot is a Network Source of Truth and Network Automation Platform (6.5 MEDIUM)
Same CWE
- CVE-2026-46645 — SQLAdmin is a flexible Admin interface for SQLAlchemy models (4.3 MEDIUM)
- CVE-2026-53634 — Sharp is a content management framework built for Laravel as a package (4.3 MEDIUM)
- CVE-2026-0272 — A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Comm...
- CVE-2026-49822 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)
- CVE-2026-49821 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)