CVE-2026-44797
SSRF in Nautobot via Webhook Configuration
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nautobot | nautobot | to 2.4.33 (exc) |
| nautobot | nautobot | to 3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44797 is a Server-Side Request Forgery (SSRF) vulnerability in Nautobot's webhook functionality. It allows users with sufficient access to configure webhooks that can make requests to unauthorized hosts or IP addresses, which should normally be restricted. This can lead to unauthorized network access and potentially harmful behaviors similar to SSRF attacks.
The vulnerability was present in Nautobot versions prior to 2.4.33 and 3.1.2 and has been fixed by introducing security enhancements that restrict webhook target destinations and prevent unauthorized network requests.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with sufficient access to Nautobot to perform unauthorized network requests through the webhook feature. This could lead to exposure of internal network resources, unauthorized data access, or interaction with services that should be inaccessible, potentially compromising confidentiality and integrity.
Because the vulnerability enables SSRF-like behavior, it can be exploited to bypass network restrictions and access sensitive or restricted systems, increasing the risk of further attacks or data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, administrators should audit existing webhook configurations in Nautobot to identify any webhook definitions that allow requests to unauthorized or potentially dangerous hosts and IP addresses.
Since the vulnerability involves SSRF through webhook definitions, checking webhook records for URLs using disallowed schemes or targeting restricted IP ranges (such as loopback, link-local, multicast, or private RFC1918 networks) is essential.
Commands to list or inspect webhook configurations depend on Nautobot's CLI or API. However, the previously available `nautobot-server webhook_receiver` command used for testing has been removed due to security risks.
Administrators can use Nautobot's API or database queries to extract webhook URLs and verify their schemes and target hosts/IPs against the allowed lists and blocked networks.
Example approach (assuming access to Nautobot's database or API):
- Query webhook URLs and check if any use schemes other than HTTP or HTTPS.
- Check if webhook target IPs fall within blocked network ranges such as private RFC1918 addresses.
- Review webhook hostnames against the WEBHOOK_ALLOWED_HOSTS setting to ensure only authorized hosts are allowed.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Nautobot to version 2.4.33 or 3.1.2 or later, where the vulnerability is fixed.
Administrators should audit and update existing webhook configurations to ensure they do not allow requests to unauthorized hosts or IP addresses.
Configure the new security settings introduced to restrict webhook behavior:
- Set WEBHOOK_ALLOWED_SCHEMES to restrict webhook URLs to only HTTP and HTTPS.
- Use WEBHOOK_ADDITIONAL_BLOCKED_NETWORKS to specify additional IP ranges (such as private networks) that should be blocked.
- Define WEBHOOK_ALLOWED_HOSTS to create an allow-list of specific hostnames or domains that can bypass network restrictions.
Note that the built-in block-list cannot be disabled, and these settings enforce restrictions on loopback, link-local, multicast, unspecified, and reserved IP addresses both when defining webhooks and during execution.
Remove or update any invalid or risky webhook records to prevent SSRF exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-44797 involves a server-side request forgery (SSRF) vulnerability in Nautobot's webhook functionality that could allow users with sufficient access to make unauthorized requests to various hosts and IP addresses. This type of vulnerability can potentially lead to unauthorized access or data exposure within internal networks.
While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, SSRF vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations. Exploitation could lead to unauthorized data access or leakage, potentially resulting in non-compliance with data protection requirements.
The fixes introduced in Nautobot versions 2.4.33 and 3.1.2 include strict controls on webhook target destinations, blocking unauthorized network access, and enforcing allow-lists and block-lists for network addresses. These mitigations help reduce the risk of unauthorized data access and improve security posture, which supports compliance efforts.
Administrators are advised to audit webhook configurations and user permissions to ensure no invalid or risky settings remain, further aiding in maintaining compliance with security best practices and regulatory requirements.