CVE-2026-44794
Stored XSS via GenericForeignKey in Nautobot
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nautobot | nautobot | to 2.4.33 (inc) |
| nautobot | nautobot | to 3.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Nautobot's REST API allows unauthorized users to create or update objects referencing other objects they do not have permission to view. This improper enforcement of "view" permissions could lead to unauthorized access to restricted data.
Such unauthorized access to sensitive or restricted information may impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of personal or sensitive data.
By allowing users to bypass permission checks, the vulnerability could result in exposure or manipulation of data that should be protected under these regulations, potentially leading to compliance violations.
The issue has been fixed in Nautobot versions 2.4.33 and 3.1.2 by enforcing proper permission checks, thereby mitigating the risk of unauthorized data access and helping maintain compliance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper enforcement of user "view" permissions in Nautobot's REST API when creating or updating objects with GenericForeignKey references. Detection would involve checking whether unauthorized users can create or update objects referencing restricted content types or objects.
Since the issue is related to REST API permission enforcement, detection can be performed by attempting to create or update objects via the Nautobot REST API with GenericForeignKey fields referencing objects the user should not have access to.
Specific commands or scripts are not provided in the available resources. However, a practical approach would be to use API calls (e.g., via curl or HTTP clients) to test creating or updating ImageAttachment or ContactAssociation objects referencing restricted Device, Location, or Rack objects without proper permissions.
Can you explain this vulnerability to me?
CVE-2026-44794 is a vulnerability in Nautobot's REST API related to the handling of GenericForeignKey fields, which allow an object to reference other objects of various content types. Prior to versions 2.4.33 and 3.1.2, the API failed to enforce user "view" permissions when creating or updating objects containing these references. This means users could create or update objects linking to other objects they do not have permission to view, potentially leading to unauthorized access or manipulation of restricted data.
The issue specifically affected serializers like ImageAttachment and ContactAssociation, which incorrectly allowed operations on unsupported or invalid content types. The vulnerability was fixed by enforcing proper permission checks, restricting allowed content types, and improving validation logic in the API.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to create or update objects in Nautobot that reference other objects they are not permitted to view. For example, a user could link an ImageAttachment to a Device record they do not have access to if they know its identifier. This could lead to unauthorized exposure or manipulation of restricted network infrastructure data.
The impact includes potential unauthorized access to sensitive or restricted objects, improper data associations, and possible security risks arising from bypassing intended permission controls. The vulnerability has a moderate severity with a CVSS score of 5.4, indicating it requires low privileges and has low attack complexity.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Nautobot to a fixed version where this vulnerability is addressed.
- Upgrade Nautobot to version 2.4.33 or later if using the 2.4.x branch.
- Upgrade Nautobot to version 3.1.2 or later if using the 3.1.x branch.
These versions include fixes that enforce proper user "view" permissions when assigning related objects via GenericForeignKey fields, preventing unauthorized object creation or modification.