Description
NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user.
References (7)
Core 7
Core References
Exploit technical-description
exploit
https://chocapikk.com/posts/2026/netbox-export-template-rce/
Issue Tracking issue-tracking
https://github.com/netbox-community/netbox/issues/22079
Issue Tracking issue-tracking
https://github.com/netbox-community/netbox/pull/22078
Issue Tracking issue-tracking
https://github.com/netbox-community/netbox/pull/22170
Release Notes release-notes
https://github.com/netbox-community/netbox/releases/tag/v4.6.1
Patch patch
https://github.com/netbox-community/netbox/commit/d124c5fe86e12aad61285133c0caf16adcda8f2e
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/netbox-rce-via-rendertemplatemixin
Scores
CVSS v3
8.8
EPSS
0.0078
EPSS Percentile
51.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-183
Status
published
Products (1)
netbox-community/netbox
4.3.5 - 4.5.4
Published
May 04, 2026
Tracked Since
May 04, 2026