CVE-2026-44796: Nautobot Denial of Service via ReDoS in Bulk-Rename Endpoints
Nautobot, a network automation and source-of-truth platform, contains a denial-of-service vulnerability in its bulk-rename feature. An authenticated attacker can craft malicious regular expressions in the 'find' field and enable the regex flag to cause the application to hang or become unresponsive, disrupting access for all users. The flaw affects versions before 2.4.33 and 3.1.2.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-1333, CWE-400
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag. This vulnerability is fixed in 2.4.33 and 3.1.2.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in Nautobot's UI object-bulk-rename endpoints (such as /dcim/interfaces/rename/) where insufficient validation of regular expressions combined with the use_regex flag allows ReDoS (Regular Expression Denial of Service) attacks. When a maliciously crafted regex pattern with excessive backtracking is processed, the application consumes CPU resources uncontrollably, triggering an application-wide denial of service. This is categorized under CWE-1333 (Inefficient Regular Expression Complexity) and CWE-400 (Uncontrolled Resource Consumption).
Business impact
For organizations using Nautobot as their network source of truth, this vulnerability creates operational risk. An authenticated user—whether a legitimate account or a compromised credential—can render the platform unavailable, blocking network automation workflows, device inventory queries, and configuration management tasks during the attack. Recovery requires service restart, creating unplanned downtime.
Affected systems
Nautobot versions prior to 2.4.33 (2.4.x branch) and 3.1.2 (3.1.x branch) are affected. The vulnerability is specific to the bulk-rename UI endpoints and requires the attacker to have valid authentication credentials to the Nautobot instance.
Exploitability
Exploitability is moderate. The attack requires authentication (authenticated users or those with valid credentials), ruling out completely unauthenticated internet-facing attacks. However, the barrier to exploitation is low once authenticated: an attacker need only craft a ReDoS pattern and submit it via the bulk-rename form. No complex multi-step exploit chain is required. Internal threats, disgruntled employees, or compromised accounts pose the primary risk.
Remediation
Upgrade Nautobot to version 2.4.33 or later (for the 2.4.x series) or 3.1.2 or later (for the 3.1.x series). Verify the patched version is confirmed in your deployment before restart. Organizations unable to upgrade immediately should restrict access to bulk-rename endpoints via application firewall rules or network controls, limiting exposure to trusted administrative accounts only.
Patch guidance
NetworkToCode has released patches in Nautobot 2.4.33 and 3.1.2. Consult the official NetworkToCode security advisories and release notes to verify patch availability for your branch and confirm no additional breaking changes. Test the upgrade in a non-production environment first. After upgrading, restart the Nautobot service to ensure the fix is active.
Detection guidance
Monitor Nautobot logs for repeated requests to bulk-rename endpoints (/dcim/interfaces/rename/, similar paths) originating from a single authenticated user or session within a short timeframe, particularly those with complex or unusual regex patterns in the 'find' parameter. Application performance monitoring can detect sudden CPU spikes correlated with bulk-rename requests. Network segmentation and authentication logs can identify lateral movement from compromised accounts exploiting this flaw.
Why prioritize this
This vulnerability scores CVSS 6.5 (MEDIUM) and is best prioritized based on your exposure model: if Nautobot is internet-facing or accessible to high-risk user populations (e.g., contractors, external partners), prioritize patching within 2–4 weeks. If Nautobot is internal-only with access restricted to vetted staff, extend the window to 4–8 weeks. The lack of CISA KEV status indicates this is not yet actively exploited in the wild, reducing urgency but not eliminating risk.
Risk score, explained
The CVSS 6.5 score reflects a network-accessible service (AV:N), low complexity attack (AC:L), authenticated requirement (PR:L), and high availability impact (A:H). The score does not account for business criticality; organizations relying on Nautobot for real-time network operations may perceive risk as higher. The absence of confidentiality or integrity impact limits the base score but does not diminish the operational harm of service unavailability.
Frequently asked questions
Do I need valid credentials to exploit this?
Yes. The vulnerability requires authentication (PR:L in the CVSS vector). An attacker must possess or compromise a valid Nautobot user account. This eliminates anonymous internet-based attacks but increases insider-threat risk.
Will this exploit break my network automation scripts?
Not directly. The flaw resides only in the UI bulk-rename endpoints. API-based automation using other Nautobot endpoints is unaffected. However, if the denial of service renders Nautobot unavailable, all dependent workflows—UI and API—will fail until the service recovers.
Is there a workaround if I cannot patch immediately?
Partial mitigation is possible by restricting network or application-level access to bulk-rename endpoints, limiting usage to administrators only, or disabling the regex flag via configuration if supported. However, upgrading to 2.4.33 or 3.1.2 is the definitive fix. Contact NetworkToCode support for configuration-specific guidance.
Has this vulnerability been exploited in the wild?
No. This vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed public exploitation. However, the relatively simple attack surface means exploitation could occur opportunistically if attackers gain authenticated access.
This analysis is based on publicly disclosed CVE data and vendor advisories current as of the publication date. Readers should verify patch availability and compatibility with their specific Nautobot deployment by consulting NetworkToCode's official release notes and security documentation. This summary does not constitute legal or compliance advice; consult your organization's security and compliance teams before making remediation decisions. SEC.co assumes no liability for damages resulting from application or misapplication of this guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10291MEDIUMReDoS in Enderfga claw-orchestrator validateRegex—Security Update
- CVE-2026-10691MEDIUMReDoS Vulnerability in DesktopCommanderMCP Search Manager
- CVE-2026-10692MEDIUMReDoS Vulnerability in code-index-mcp Up to 2.14.0 – Patch Available
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification