CVE-2026-44794
Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
6th
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.
| CWE | CWE-862 |
| Vendor | nautobot |
| Product | nautobot |
| Published | May 28, 2026 |
| Last Updated | May 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for nautobot nautobot
Be the first to know when new medium vulnerabilities affecting nautobot nautobot are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
nautobot / nautobot
>= 3.0.0a2, < 3.1.2 < 2.4.33
References
github.com: https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x github.com: https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b github.com: https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1 github.com: https://github.com/nautobot/nautobot/releases/tag/v2.4.33 github.com: https://github.com/nautobot/nautobot/releases/tag/v3.1.2