Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
In the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid.
As a concrete example, a user:
- who has permission to create or update
ImageAttachmentrecords - but who lacks permission to view (some or all)
Devicerecords - _but who knows (via some other mechanism) the UUID of a specific
Devicethat they do not otherwise have access to_
could create via the REST API an ImageAttachment linked to that specific Device.
Other models that use GenericForeignKey and may be writable via the REST API, and hence have a similar vulnerability to ImageAttachment, may include:
ApprovalWorkflowCableConfigContextContactAssociationDataComplianceDeviceExportTemplateGraphQLQueryNoteObjectMetadataRelationshipAssociationStaticGroupAssociationVirtualMachine
Additionally, any Nautobot Apps that provide models with a REST API and use GenericForeignKey may have a similar vulnerability for their models.
Patches
A general-purpose fix has been implemented in Nautobot 2.4.33 and 3.1.2, which ensures correct application of "view" permissions when creating or modifying object references via GenericForeignKey throughout the REST API. Individual models/views/serializers generally will not require any specific code changes to benefit from this fix.
Workarounds
No known workarounds at this time.
References
- 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1">patch</a>)
- 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b">patch</a>)
AnalysisAI
Nautobot's REST API fails to enforce user 'view' permissions when resolving GenericForeignKey references during object creation or update, allowing authenticated users to create cross-object associations to records they are explicitly denied access to view. Any Nautobot user holding write access to an affected model - including ImageAttachment, Cable, Note, ContactAssociation, and over a dozen others - can link those records to restricted objects (e.g., Devices) if they know the target's UUID through any side channel. No public exploit has been identified and this vulnerability is not listed in CISA KEV; EPSS of 0.02% (6th percentile) reflects low probability of automated exploitation, though the authorization bypass is straightforward once credentials and a target UUID are in hand.
Technical ContextAI
Nautobot is a network source-of-truth and automation platform built on Django, and uses Django's GenericForeignKey (GFK) pattern to implement polymorphic object references - a single model field pair (content_type + object_id) that can point to rows across multiple database tables. The vulnerability is rooted in CWE-862 (Missing Authorization): the REST API serializer's validate() method in nautobot/core/api/serializers.py checked whether a GFK target object existed but did not apply the requesting user's view-permission queryset (Nautobot's .restrict(user, 'view') mechanism) before that existence check. The fix adds GFK-aware logic to the base serializer that layers permission restriction on the target queryset whenever an authenticated request context is present, affecting all downstream serializers without requiring per-model changes. Affected CPEs are pkg:pip/nautobot versions below 2.4.33 and versions 3.0.0a2 through below 3.1.2.
RemediationAI
Upgrade to Nautobot 2.4.33 (patch commit 9918bdb9bcf1eb42cda72c344f420a64ef7665f1, release at https://github.com/nautobot/nautobot/releases/tag/v2.4.33) or Nautobot 3.1.2 (patch commit 36cde7148a207234de6212ec074f321dbc9d1b5b, release at https://github.com/nautobot/nautobot/releases/tag/v3.1.2). The fix is implemented centrally in the base serializer so no changes to individual model or app serializers are required to benefit. The vendor has confirmed no known workarounds exist. As a partial compensating control before patching, administrators can restrict REST API write access to highly trusted accounts only at the network or application layer (e.g., firewall rules scoping API access to specific IP ranges, or temporarily demoting lower-trust users to read-only roles on affected models); note this disrupts legitimate workflows and does not constitute a complete mitigation. Operators of third-party Nautobot Apps using GenericForeignKey should audit those serializers independently after upgrading the core platform.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32955
GHSA-wpxj-44w3-2j6x