Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
A user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value.
Patches
The issue has been remediated in Nautobot v2.4.33 and 3.1.2.
Workarounds
Note that many of the same end-result symptoms could be caused by a user with the same level of access simply changing the branch or remote_url of a GitRepository rather than crafting the current_head. Administrators are encouraged to carefully review which users are granted permissions to create and modify GitRepository records.
References
- 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609">patch</a>)
- 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3">patch</a>)
AnalysisAI
Authenticated users with GitRepository modification privileges in Nautobot can manipulate the current_head field via REST API to force local repository clones to check out arbitrary commits, causing repository state inconsistency or denial of service. The unintended write access stems from improper REST API serializer configuration (CWE-471: Modification of Assumed-Immutable Data). Vendor-released patches in versions 2.4.33 and 3.1.2 add field-level access controls and input validation to prevent manipulation of the internal current_head tracking field. No public exploit identified at time of analysis, though exploitation requires only low-privilege authenticated API access.
Technical ContextAI
Nautobot is a Network Source of Truth and network automation platform built on Django REST Framework. The vulnerability exists in the GitRepository model's REST API serializer, which incorrectly exposed the current_head field (an internal state tracker for the checked-out commit SHA) as writable. This field should be managed exclusively by Nautobot's GitRepo helper class during legitimate sync operations. The underlying issue is CWE-471 (Modification of Assumed-Immutable Data) - the application assumed current_head would only be modified through controlled code paths but failed to enforce this assumption at the API boundary. The patches introduce validate_git_ref() input validation rejecting whitespace, dash-prefixed values, and malformed commit hashes, plus mark current_head as read-only in the serializer. The affected package is pip/nautobot with CPE pkg:pip/nautobot. Vulnerable versions are <2.4.33 in the 2.x line and >=3.0.0a2,<3.1.2 in the 3.x line.
RemediationAI
Upgrade to Nautobot version 2.4.33 (for 2.x deployments) or 3.1.2 (for 3.x deployments) which include patches preventing current_head manipulation via commit 9deddfc91ad9260ad17b5e20084e9e2d15be3609 (2.x) and c46f97040b2bde4320be36b23577f19a8bcbd8c3 (3.x). Release artifacts available at https://github.com/nautobot/nautobot/releases/tag/v2.4.33 and https://github.com/nautobot/nautobot/releases/tag/v3.1.2. If immediate patching is not feasible, implement compensating controls by restricting add_gitrepository and change_gitrepository permissions to only essential automation service accounts and senior infrastructure administrators, noting that this reduces but does not eliminate risk since privileged users can still manipulate branch and remote_url fields to cause similar disruption. Audit existing GitRepository objects for anomalous current_head values (should match the latest commit on the configured branch) and review access logs for unauthorized API modifications to /api/extras/git-repositories/ endpoints. Trade-off: restricting permissions may break existing automation workflows that legitimately create/modify repository configurations.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32973
GHSA-p3hx-pwf3-j8wr