Skip to main content

Nautobot CVE-2026-44798

| EUVDEUVD-2026-32973 HIGH
Modification of Assumed-Immutable Data (MAID) (CWE-471)
2026-05-13 https://github.com/nautobot/nautobot GHSA-p3hx-pwf3-j8wr
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 13, 2026 - 16:31 vuln.today
Analysis Generated
May 13, 2026 - 16:31 vuln.today
CVE Published
May 13, 2026 - 15:31 nvd
HIGH 7.1

DescriptionGitHub Advisory

Impact

A user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value.

Patches

The issue has been remediated in Nautobot v2.4.33 and 3.1.2.

Workarounds

Note that many of the same end-result symptoms could be caused by a user with the same level of access simply changing the branch or remote_url of a GitRepository rather than crafting the current_head. Administrators are encouraged to carefully review which users are granted permissions to create and modify GitRepository records.

References

  • 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609">patch</a>)
  • 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3">patch</a>)

AnalysisAI

Authenticated users with GitRepository modification privileges in Nautobot can manipulate the current_head field via REST API to force local repository clones to check out arbitrary commits, causing repository state inconsistency or denial of service. The unintended write access stems from improper REST API serializer configuration (CWE-471: Modification of Assumed-Immutable Data). Vendor-released patches in versions 2.4.33 and 3.1.2 add field-level access controls and input validation to prevent manipulation of the internal current_head tracking field. No public exploit identified at time of analysis, though exploitation requires only low-privilege authenticated API access.

Technical ContextAI

Nautobot is a Network Source of Truth and network automation platform built on Django REST Framework. The vulnerability exists in the GitRepository model's REST API serializer, which incorrectly exposed the current_head field (an internal state tracker for the checked-out commit SHA) as writable. This field should be managed exclusively by Nautobot's GitRepo helper class during legitimate sync operations. The underlying issue is CWE-471 (Modification of Assumed-Immutable Data) - the application assumed current_head would only be modified through controlled code paths but failed to enforce this assumption at the API boundary. The patches introduce validate_git_ref() input validation rejecting whitespace, dash-prefixed values, and malformed commit hashes, plus mark current_head as read-only in the serializer. The affected package is pip/nautobot with CPE pkg:pip/nautobot. Vulnerable versions are <2.4.33 in the 2.x line and >=3.0.0a2,<3.1.2 in the 3.x line.

RemediationAI

Upgrade to Nautobot version 2.4.33 (for 2.x deployments) or 3.1.2 (for 3.x deployments) which include patches preventing current_head manipulation via commit 9deddfc91ad9260ad17b5e20084e9e2d15be3609 (2.x) and c46f97040b2bde4320be36b23577f19a8bcbd8c3 (3.x). Release artifacts available at https://github.com/nautobot/nautobot/releases/tag/v2.4.33 and https://github.com/nautobot/nautobot/releases/tag/v3.1.2. If immediate patching is not feasible, implement compensating controls by restricting add_gitrepository and change_gitrepository permissions to only essential automation service accounts and senior infrastructure administrators, noting that this reduces but does not eliminate risk since privileged users can still manipulate branch and remote_url fields to cause similar disruption. Audit existing GitRepository objects for anomalous current_head values (should match the latest commit on the configured branch) and review access logs for unauthorized API modifications to /api/extras/git-repositories/ endpoints. Trade-off: restricting permissions may break existing automation workflows that legitimately create/modify repository configurations.

Share

CVE-2026-44798 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy