5.4
CVE-2026-44794
- EPSS 0.18%
- Veröffentlicht 28.05.2026 17:01:21
- Zuletzt bearbeitet 29.05.2026 13:29:06
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginNautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Networktocode ≫ Nautobot Version < 2.4.33
Networktocode ≫ Nautobot Version >= 3.0.0 < 3.1.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.074 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x
https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b
https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1
https://github.com/nautobot/nautobot/releases/tag/v2.4.33
https://github.com/nautobot/nautobot/releases/tag/v3.1.2