CVE-2026-44798

EPSS 0.28%
Veröffentlicht 28.05.2026 16:57:45
Zuletzt bearbeitet 28.05.2026 19:30:57
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nautobot: GitRepository.current_head field should not be writable through REST API

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value. This vulnerability is fixed in 2.4.33 and 3.1.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 8

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Networktocode ≫ Nautobot Version < 2.4.33

Networktocode ≫ Nautobot Version >= 3.0.0 < 3.1.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.192

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE-471 Modification of Assumed-Immutable Data (MAID)

The product does not properly protect an assumed-immutable element from being modified by an attacker.

CWE-749 Exposed Dangerous Method or Function

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

https://github.com/nautobot/nautobot/releases/tag/v2.4.33

Product

Release Notes

https://github.com/nautobot/nautobot/releases/tag/v3.1.2

Product

Release Notes

https://github.com/nautobot/nautobot/security/advisories/GHSA-p3hx-pwf3-j8wr

Patch

Vendor Advisory

Mitigation

https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609

Patch

https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-44798

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-44798

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-44798

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-44798