CVE-2026-44794
MEDIUMNautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference
Title source: cnaDescription
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x
X_Refsource_Misc x_refsource_misc
https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b
X_Refsource_Misc x_refsource_misc
https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1
X_Refsource_Misc x_refsource_misc
https://github.com/nautobot/nautobot/releases/tag/v2.4.33
X_Refsource_Misc x_refsource_misc
https://github.com/nautobot/nautobot/releases/tag/v3.1.2
Scores
CVSS v3
5.4
EPSS
0.0018
EPSS Percentile
7.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (5)
nautobot/nautobot
< 2.4.33
nautobot/nautobot
>= 3.0.0a2, < 3.1.2
networktocode/nautobot
< 2.4.33
pypi/nautobot
0 - 2.4.33PyPI
pypi/nautobot
3.0.0a2 - 3.1.2PyPI
Published
May 28, 2026
Tracked Since
May 28, 2026