CVE-2026-44794
MEDIUM
5.4
CVSS 3.1
Description
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.
Metadata
Severity & Metrics
5.4
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| nautobot | nautobot | — | >= 3.0.0a2, < 3.1.2, < 2.4.33 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-862 | cna | CWE-862: Missing Authorization |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 5.4 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
References (5)
- https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x
- https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b
- https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1 https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1
- https://github.com/nautobot/nautobot/releases/tag/v2.4.33 https://github.com/nautobot/nautobot/releases/tag/v2.4.33
- https://github.com/nautobot/nautobot/releases/tag/v3.1.2 https://github.com/nautobot/nautobot/releases/tag/v3.1.2