CVE-2026-44796

MEDIUM 6.5

Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS)

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

14th

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag. This vulnerability is fixed in 2.4.33 and 3.1.2.

CWE	CWE-400 CWE-1333
Vendor	nautobot
Product	nautobot
Published	May 28, 2026
Last Updated	May 30, 2026

Stay Ahead of the Next One

Get instant alerts for nautobot nautobot

Be the first to know when new medium vulnerabilities affecting nautobot nautobot are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

nautobot / nautobot

>= 3.0.0a2, < 3.1.2 < 2.4.33

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nautobot/nautobot/security/advisories/GHSA-qrpw-gjvh-x5gm github.com: https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd github.com: https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee github.com: https://github.com/nautobot/nautobot/releases/tag/v2.4.33 github.com: https://github.com/nautobot/nautobot/releases/tag/v3.1.2