Skip to main content

Nautobot CVE-2026-44796

| EUVDEUVD-2026-32975 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-13 https://github.com/nautobot/nautobot GHSA-qrpw-gjvh-x5gm
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 08, 2026 - 12:35 vuln.today
Analysis Generated
Jun 08, 2026 - 12:35 vuln.today

DescriptionGitHub Advisory

Impact

Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag.

Patches

A general-purpose timeout has been added to these endpoints in Nautobot v2.4.33 and v3.1.2, which ensures that the request will fail early with an appropriate message if regular expression evaluation takes more than a short period of time, instead of continuing to execute for an indefinite duration.

Workarounds

No known workaround has been identified at this time.

References

  • 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee">patch</a>)
  • 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd">patch</a>)

AnalysisAI

Nautobot's UI object bulk-rename endpoints (e.g., /dcim/interfaces/rename/) allow authenticated low-privilege users to trigger application-wide denial of service by submitting a maliciously crafted regular expression in the find field with the use_regex flag enabled, causing Python's re.sub() to enter catastrophic backtracking that stalls worker processes indefinitely. All Nautobot installations running versions prior to 2.4.33 (v2.x branch) or prior to 3.1.2 (v3.x branch, from 3.0.0a2) are affected. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and EPSS is 0.04% (14th percentile); vendor-released patches are available.

Technical ContextAI

This is a CWE-400 (Uncontrolled Resource Consumption) vulnerability rooted in Python's built-in re module's susceptibility to catastrophic backtracking - a class of attack known as REDoS (Regular Expression Denial of Service). The affected package is pkg:pip/nautobot. The bulk-rename views (BulkRenameView and ObjectBulkRenameViewMixin) passed the user-supplied find field regex directly to re.sub() against each selected object's .name string, with no complexity limit, timeout, or pre-validation. A carefully constructed regex such as (a+)+$ combined with a near-match input string causes evaluation time to grow exponentially, blocking the application worker thread or process for an indefinite duration. The fix introduces signal.SIGALRM-based timeout enforcement in the rename views and promotes the regex>=2026.4.4 package from a development-only dependency to a production dependency, enabling safer regex evaluation. Additionally, bespoke bulk_rename actions on ModuleBayUIViewSet and ModuleBayTemplateUIViewSet were consolidated into the generic ObjectBulkRenameViewMixin to ensure consistent protection across all affected endpoints.

RemediationAI

Upgrade Nautobot to v2.4.33 for deployments on the 2.x branch, or to v3.1.2 for deployments on the 3.x branch (from 3.0.0a2), as the primary and recommended remediation per vendor advisory GHSA-qrpw-gjvh-x5gm at https://github.com/nautobot/nautobot/security/advisories/GHSA-qrpw-gjvh-x5gm. The patch introduces a signal.SIGALRM-based timeout to both the legacy BulkRenameView and the ObjectBulkRenameViewMixin, causing requests to fail fast with an error if regex evaluation exceeds a short duration, and adds regex>=2026.4.4 as a production dependency. The vendor has confirmed no known workaround exists. As a compensating control prior to patching, operators may restrict access to bulk-rename endpoints (URL paths matching /*/rename/) via reverse proxy ACLs or WAF rules - this fully blocks the attack surface but disables the bulk-rename feature for all users. Alternatively, restricting Nautobot change permissions to a minimal set of trusted users reduces the pool of potential attackers but does not eliminate the vulnerability.

Share

CVE-2026-44796 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy