Detections
Analytics

CVE-2026-44794

medium

Description

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.

References

https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x

https://github.com/nautobot/nautobot/releases/tag/v3.1.2

https://github.com/nautobot/nautobot/releases/tag/v2.4.33

https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1

https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b

Details

Source: Mitre, NVD

Published: 2026-05-28

Updated: 2026-05-29

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00021