CVE-2026-29514
Remote Code Execution in NetBox via Jinja2 Sandbox Bypass
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netbox | netbox | From 4.3.5 (inc) to 4.5.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-183 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in NetBox versions 4.3.5 through 4.5.4 within the RenderTemplateMixin.get_environment_params() method. Authenticated users who have exporttemplate or configtemplate permissions can exploit this flaw by specifying malicious Python callables in the environment_params field. This allows them to bypass the Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable, such as subprocess.getoutput. As a result, the attacker can execute arbitrary code remotely with the privileges of the NetBox service user.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution on the server running NetBox. An attacker with the required permissions can run arbitrary commands, potentially leading to unauthorized access, data theft, service disruption, or further compromise of the system and network.