Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 pypi packages depend on nautobot (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.0.0.
DescriptionGitHub Advisory
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. Nautobot v2.4.10 and v1.6.32 address this issue by adding enforcement of Nautobot user authentication to this endpoint.
Analysis
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. Nautobot v2.4.10 and v1.6.32 address this issue by adding enforcement of Nautobot user authentication to this endpoint.
Technical ContextAI
Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Information Exposure (CWE-200).
RemediationAI
A vendor patch is available — apply it immediately. Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.
Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL
Nautobot is a Network Source of Truth and Network Automation Platform. Rated critical severity (CVSS 9.8), this vulnerab
Nautobot is a Network Source of Truth and Network Automation Platform. Rated medium severity (CVSS 4.8), this vulnerabil
A remote code execution vulnerability in Nautobot (CVSS 7.1). High severity vulnerability requiring prompt remediation.
Nautobot is a Network Source of Truth and Network Automation Platform. Rated medium severity (CVSS 6.5), this vulnerabil
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. Rated medium severity
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot v
Nautobot is a Network Source of Truth and Network Automation Platform. Rated medium severity (CVSS 5.3), this vulnerabil
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17712
GHSA-rh67-4c8j-hjjh