Skip to main content

Nautobot EUVDEUVD-2026-32974

| CVE-2026-44797 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-13 https://github.com/nautobot/nautobot GHSA-c35q-vxrp-ph26
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 13, 2026 - 16:31 vuln.today
Analysis Generated
May 13, 2026 - 16:31 vuln.today
CVE Published
May 13, 2026 - 15:30 nvd
HIGH 8.5

DescriptionGitHub Advisory

Impact

Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF).

Patches

Fixes are available in Nautobot v2.4.33 and v3.1.2.

In support of this fix, three new settings variables have been added to Nautobot:

  • WEBHOOK_ALLOWED_SCHEMES - By default new or updated Webhook records will be restricted to HTTP or HTTPS only, disallowing other schemes that may have been previously allowed. Administrators should audit existing Webhook records to identify any that are invalid, and either update/delete said records or customize WEBHOOK_ALLOWED_SCHEMES as appropriate.
  • WEBHOOK_ADDITIONAL_BLOCKED_NETWORKS - This can be used to specify additional IP networks that should be denied to Webhook sending, for example some deployments may wish to disallow RFC1918 addresses or even disallow all networks and carve out specific exemptions using the following setting.
  • WEBHOOK_ALLOWED_HOSTS - This can be used to provide an allow-list of specific hosts that would otherwise be blocked by any WEBHOOK_ADDITIONAL_BLOCKED_NETWORKS configuration.

Workarounds

Administrators should review which users have been granted add or change permissions for the Webhook data model, and should review currently defined Webhook records for safety and validity. Other than that, no specific workaround has been identified.

References

  • 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/16aa4aa9796ab7a31c4d615ec945e1f16d8c77c4">patch</a>)
  • 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/7324c8f0d8c7245fbc691e15d729adc2d2707d08">patch</a>)

AnalysisAI

Server-side request forgery (SSRF) in Nautobot's Webhook feature allows authenticated users with add/change permissions on the Webhook data model to configure malicious webhook URLs targeting internal hosts, cloud metadata endpoints, or other restricted network resources. Affects all versions prior to 2.4.33 and 3.x versions prior to 3.1.2. The vulnerability allows bypassing intended network boundaries and accessing services that should not be reachable from the Nautobot server. Vendor-released patches available in v2.4.33 and v3.1.2 introduce URL scheme restrictions, IP network blocklists, and hostname allow-lists to prevent SSRF exploitation. No public exploit identified at time of analysis, but CVSS base score of 8.5 reflects significant impact with scope change allowing access to resources beyond the vulnerable component's security context.

Technical ContextAI

Nautobot is a Python-based network infrastructure automation platform distributed via PyPI (pip package manager). The vulnerability resides in the Webhook data model, which allows users to define HTTP callbacks triggered by system events. The flaw is classified as CWE-918 (Server-Side Request Forgery), where insufficient validation of user-supplied URLs permits the Nautobot server to make requests on behalf of an authenticated attacker. Classic SSRF vectors are possible including accessing cloud metadata services (169.254.169.254), internal services on loopback addresses, link-local networks, RFC1918 private ranges, and services using non-HTTP protocols (file://, ftp://, gopher://). The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C indicates network-accessible exploitation requiring low-privilege authentication with changed scope, meaning successful exploitation can impact resources outside the Nautobot application's security boundary. The fix implements URL parsing with scheme validation, DNS resolution-time checks against blocklists, and configurable network filtering using three new settings: WEBHOOK_ALLOWED_SCHEMES (restricts to http/https by default), WEBHOOK_ADDITIONAL_BLOCKED_NETWORKS (admin-defined CIDR blocklist), and WEBHOOK_ALLOWED_HOSTS (carve-out exceptions for legitimate internal targets).

RemediationAI

Upgrade to Nautobot v2.4.33 (for 2.x deployments) or v3.1.2 (for 3.x deployments) immediately. Vendor-released patches available via pip upgrade: 'pip install --upgrade nautobot2.4.33' or 'nautobot3.1.2'. Commit-level patches available at https://github.com/nautobot/nautobot/commit/16aa4aa9796ab7a31c4d615ec945e1f16d8c77c4 (v2.4.33) and https://github.com/nautobot/nautobot/commit/7324c8f0d8c7245fbc691e15d729adc2d2707d08 (v3.1.2). Post-upgrade actions required: (1) Audit all existing Webhook records for malicious or invalid URLs, particularly those using non-HTTP schemes or pointing to internal IP ranges. (2) Review and configure three new settings variables introduced in the patch: set WEBHOOK_ALLOWED_SCHEMES to restrict URL schemes (defaults to http/https only), configure WEBHOOK_ADDITIONAL_BLOCKED_NETWORKS to block RFC1918 ranges if internal webhooks are not needed (e.g., ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']), and define WEBHOOK_ALLOWED_HOSTS for legitimate internal targets requiring carve-out exceptions. Note that the deprecated nautobot-server webhook_receiver command has been removed in patched versions. If immediate patching is not possible, implement temporary compensating controls: (1) Restrict add/change permissions on the Webhook data model to fully-trusted administrators only using Django admin or Nautobot RBAC. (2) Review and delete any suspicious Webhook definitions, especially those with non-HTTP schemes or IP literals in private ranges. (3) Deploy network-level egress filtering to block Nautobot server access to metadata endpoints (169.254.169.254/32, fd00:ec2::254/128) and sensitive internal services. Trade-offs: restrictive egress rules may break legitimate webhook integrations to internal monitoring systems; validate before deploying broadly.

Share

EUVD-2026-32974 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy