CVE-2026-44798
7.1 HIGHNautobot is a Network Source of Truth and Network Automation Platform
Published: 2026-05-28 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 7.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
- CWE
- CWE-471, CWE-749
Affected products
| Vendor | Product |
|---|---|
| networktocode | nautobot |
Description
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value. This vulnerability is fixed in 2.4.33 and 3.1.2.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44798
- [Patch]https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609
- [Patch]https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3
- [Other]https://github.com/nautobot/nautobot/releases/tag/v2.4.33
- [Other]https://github.com/nautobot/nautobot/releases/tag/v3.1.2
- [Patch]https://github.com/nautobot/nautobot/security/advisories/GHSA-p3hx-pwf3-j8wr
Related CVEs
Same vendor
- CVE-2026-44797 — Nautobot is a Network Source of Truth and Network Automation Platform (8.5 HIGH)
- CVE-2026-44796 — Nautobot is a Network Source of Truth and Network Automation Platform (6.5 MEDIUM)
- CVE-2026-44794 — Nautobot is a Network Source of Truth and Network Automation Platform (5.4 MEDIUM)
Same CWE
- CVE-2026-7516 — A vulnerability was identified in the Lenovo Android Application, distributed exclusively on tablets in the Chinese market, that could al... (4.3 MEDIUM)
- CVE-2026-47899 — The Electron preload script in Logseq exposes an API method that allows the renderer process to invoke IPC handlers without proper path v...
- CVE-2026-44698 — Home Assistant is open source home automation software that puts local control and privacy first (8.3 HIGH)
- CVE-2025-14713 — An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote... (7.5 HIGH)
- CVE-2026-44836 — view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails (6.5 MEDIUM)