MEDIUM 5.4

CVE-2026-44794: Nautobot REST API Permission Bypass in GenericForeignKey Handling

Nautobot, a network automation platform, contains a permission bypass vulnerability in its REST API that affects how it validates references between database objects. When users create or update records that link to other objects in the system, the API fails to properly check whether the user has permission to view those referenced objects. This means an authenticated user could potentially reference objects they shouldn't have access to, leading to information disclosure or unintended modifications. The issue affects Nautobot versions before 2.4.33 and 3.1.2.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-862
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Nautobot's handling of GenericForeignKey relationships via the REST API. GenericForeignKey is a Django pattern that allows an object to reference another object from multiple possible content types (database tables). During object creation or update operations, Nautobot failed to enforce view permission checks on the target of these cross-table references. An authenticated user with API access could craft requests that reference objects they lack explicit view permissions for, bypassing the intended authorization model. The issue is specific to the REST API layer and does not affect direct database access or the web UI in the same manner. Fixed in versions 2.4.33 and 3.1.2.

Business impact

This vulnerability could lead to unauthorized information disclosure if attackers discover or reference sensitive network configuration data they shouldn't access. In a network automation context where Nautobot tracks critical infrastructure details, an attacker might gather intelligence on network topology, device configurations, or relationships that inform further attacks. Additionally, if an attacker can reference objects during updates, they might trigger automation workflows or create inconsistent state in the network database, potentially affecting downstream automation tasks. The impact is limited by the requirement for valid API credentials and the fact that actual object modification likely requires additional permissions.

Affected systems

Nautobot versions 2.4.32 and earlier in the 2.4.x branch, and Nautobot versions 3.1.1 and earlier in the 3.1.x branch are affected. Organizations running Nautobot as their network source of truth should inventory their deployment versions. The REST API must be in use and exposed to authenticated users for the vulnerability to be exploitable; air-gapped or fully internal deployments without external API access face lower risk.

Exploitability

Exploitation requires valid Nautobot credentials and REST API access. An attacker must authenticate to the platform and possess at least basic API permissions to create or update objects. The vulnerability does not require special network positioning or zero-day exploit code—it can be exercised through standard REST API calls with appropriately crafted payloads referencing restricted objects. However, the attacker's ability to perform meaningful harm depends on their existing role and what sensitive objects exist in that Nautobot instance. The CVSS score of 5.4 (MEDIUM) reflects that authenticated access is required and the impact is partial (confidentiality and integrity, but not availability).

Remediation

Upgrade Nautobot to version 2.4.33 or later if running the 2.4.x branch, or to version 3.1.2 or later if running the 3.1.x branch. These versions enforce proper view permission checks on GenericForeignKey references during REST API object creation and updates. If immediate upgrade is not feasible, restrict REST API access to trusted internal networks and audit API activity for suspicious cross-object references.

Patch guidance

NetworkToCode has released patches in Nautobot 2.4.33 and 3.1.2. Review your current Nautobot version (check Admin > System Information or via the API at /api/status/) and plan an upgrade during a maintenance window. Test patches in a non-production environment first to ensure compatibility with any custom plugins or integrations. The upgrade path from 2.4.x to 3.1.x may involve breaking changes beyond this security fix, so review release notes carefully. If you are on 2.4.x, you can patch within that branch; organizations may then plan a longer-term migration to 3.1.x at their own pace.

Detection guidance

Monitor Nautobot REST API logs (typically in /var/log/nautobot/ or configured syslog) for unusual patterns: authenticated users creating or updating objects with GenericForeignKey fields that reference objects outside their normal scope, repeated failed permission checks, or API requests from unexpected IP ranges. Enable API request logging if not already active. Search audit logs for PATCH or POST requests to endpoints containing content-type or generic-foreign-key references. Query the database for recent object updates by users and cross-reference their known permissions. A SIEM integration can help correlate API activity with user context.

Why prioritize this

While the CVSS score is MEDIUM and not on the CISA KEV list, this vulnerability warrants prompt patching due to Nautobot's role in critical infrastructure management. Network automation platforms are high-value targets; any permission bypass could lead to reconnaissance of sensitive infrastructure. The fix is straightforward (version upgrade), reducing remediation friction. Organizations should treat this as a normal patch cycle priority, not an emergency, but should not defer indefinitely.

Risk score, explained

CVSS 5.4 reflects: (1) network-accessible REST API (AV:N), (2) low attack complexity (AC:L), (3) requirement for valid user credentials (PR:L), (4) no user interaction needed (UI:N), (5) impact scoped to the single organization's Nautobot instance (S:U), and (6) partial impact on confidentiality and integrity (C:L, I:L) with no availability impact (A:N). The score does not account for the strategic value of network source-of-truth platforms; this is a 'textbook' MEDIUM severity but operationally important in context.

Frequently asked questions

Do we need to upgrade immediately?

No, this is a MEDIUM severity vulnerability requiring authentication. However, because Nautobot manages critical network data, you should upgrade within your normal security patch window—typically within 30 days. If you have high-confidence that your REST API is not exposed to untrusted networks and your user base is small and trusted, you can extend the timeline slightly while you test in staging.

What exactly can an attacker see or modify if they exploit this?

An attacker with valid API credentials can reference objects they lack view permission for when creating or updating records. This may allow them to read metadata or IDs of restricted objects and potentially trigger automation workflows that depend on those references. They cannot directly read the full content of restricted objects through this vulnerability alone, but they gain an information disclosure vector about what sensitive objects exist in your Nautobot instance.

Does this affect the web UI or only the REST API?

This vulnerability is specific to the REST API layer. The web UI enforces permissions through a different code path and is not affected. If you only use Nautobot through the web interface and do not expose the REST API, your risk is lower—though upgrading is still recommended as a best practice.

How can we detect if we've been exploited?

Review Nautobot REST API access logs for authenticated requests from unusual users or IP addresses, particularly those creating or updating objects with cross-table references (GenericForeignKey fields). Check the audit log for modifications to sensitive network objects that you don't recognize. If you have API request logging enabled, filter for PATCH/POST requests that reference 'content_type' parameters or generic-foreign-key fields in conjunction with restricted object IDs.

This analysis is based on the CVE record and vendor advisory as of the publication date. Organizations should verify patch applicability against their specific Nautobot deployment, including any custom plugins or modifications. SEC.co does not provide legal advice; consult your organization's security and legal teams regarding patch timelines and compliance obligations. No exploit code or proof-of-concept details are provided. Test all patches in a non-production environment before deployment to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).