MEDIUM 6.5

CVE-2026-44796: Nautobot Denial of Service via ReDoS in Bulk-Rename Endpoints

Nautobot, a network automation and source-of-truth platform, contains a denial-of-service vulnerability in its bulk-rename feature. An authenticated attacker can craft malicious regular expressions in the 'find' field and enable the regex flag to cause the application to hang or become unresponsive, disrupting access for all users. The flaw affects versions before 2.4.33 and 3.1.2.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-1333, CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag. This vulnerability is fixed in 2.4.33 and 3.1.2.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Nautobot's UI object-bulk-rename endpoints (such as /dcim/interfaces/rename/) where insufficient validation of regular expressions combined with the use_regex flag allows ReDoS (Regular Expression Denial of Service) attacks. When a maliciously crafted regex pattern with excessive backtracking is processed, the application consumes CPU resources uncontrollably, triggering an application-wide denial of service. This is categorized under CWE-1333 (Inefficient Regular Expression Complexity) and CWE-400 (Uncontrolled Resource Consumption).

Business impact

For organizations using Nautobot as their network source of truth, this vulnerability creates operational risk. An authenticated user—whether a legitimate account or a compromised credential—can render the platform unavailable, blocking network automation workflows, device inventory queries, and configuration management tasks during the attack. Recovery requires service restart, creating unplanned downtime.

Affected systems

Nautobot versions prior to 2.4.33 (2.4.x branch) and 3.1.2 (3.1.x branch) are affected. The vulnerability is specific to the bulk-rename UI endpoints and requires the attacker to have valid authentication credentials to the Nautobot instance.

Exploitability

Exploitability is moderate. The attack requires authentication (authenticated users or those with valid credentials), ruling out completely unauthenticated internet-facing attacks. However, the barrier to exploitation is low once authenticated: an attacker need only craft a ReDoS pattern and submit it via the bulk-rename form. No complex multi-step exploit chain is required. Internal threats, disgruntled employees, or compromised accounts pose the primary risk.

Remediation

Upgrade Nautobot to version 2.4.33 or later (for the 2.4.x series) or 3.1.2 or later (for the 3.1.x series). Verify the patched version is confirmed in your deployment before restart. Organizations unable to upgrade immediately should restrict access to bulk-rename endpoints via application firewall rules or network controls, limiting exposure to trusted administrative accounts only.

Patch guidance

NetworkToCode has released patches in Nautobot 2.4.33 and 3.1.2. Consult the official NetworkToCode security advisories and release notes to verify patch availability for your branch and confirm no additional breaking changes. Test the upgrade in a non-production environment first. After upgrading, restart the Nautobot service to ensure the fix is active.

Detection guidance

Monitor Nautobot logs for repeated requests to bulk-rename endpoints (/dcim/interfaces/rename/, similar paths) originating from a single authenticated user or session within a short timeframe, particularly those with complex or unusual regex patterns in the 'find' parameter. Application performance monitoring can detect sudden CPU spikes correlated with bulk-rename requests. Network segmentation and authentication logs can identify lateral movement from compromised accounts exploiting this flaw.

Why prioritize this

This vulnerability scores CVSS 6.5 (MEDIUM) and is best prioritized based on your exposure model: if Nautobot is internet-facing or accessible to high-risk user populations (e.g., contractors, external partners), prioritize patching within 2–4 weeks. If Nautobot is internal-only with access restricted to vetted staff, extend the window to 4–8 weeks. The lack of CISA KEV status indicates this is not yet actively exploited in the wild, reducing urgency but not eliminating risk.

Risk score, explained

The CVSS 6.5 score reflects a network-accessible service (AV:N), low complexity attack (AC:L), authenticated requirement (PR:L), and high availability impact (A:H). The score does not account for business criticality; organizations relying on Nautobot for real-time network operations may perceive risk as higher. The absence of confidentiality or integrity impact limits the base score but does not diminish the operational harm of service unavailability.

Frequently asked questions

Do I need valid credentials to exploit this?

Yes. The vulnerability requires authentication (PR:L in the CVSS vector). An attacker must possess or compromise a valid Nautobot user account. This eliminates anonymous internet-based attacks but increases insider-threat risk.

Will this exploit break my network automation scripts?

Not directly. The flaw resides only in the UI bulk-rename endpoints. API-based automation using other Nautobot endpoints is unaffected. However, if the denial of service renders Nautobot unavailable, all dependent workflows—UI and API—will fail until the service recovers.

Is there a workaround if I cannot patch immediately?

Partial mitigation is possible by restricting network or application-level access to bulk-rename endpoints, limiting usage to administrators only, or disabling the regex flag via configuration if supported. However, upgrading to 2.4.33 or 3.1.2 is the definitive fix. Contact NetworkToCode support for configuration-specific guidance.

Has this vulnerability been exploited in the wild?

No. This vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed public exploitation. However, the relatively simple attack surface means exploitation could occur opportunistically if attackers gain authenticated access.

This analysis is based on publicly disclosed CVE data and vendor advisories current as of the publication date. Readers should verify patch availability and compatibility with their specific Nautobot deployment by consulting NetworkToCode's official release notes and security documentation. This summary does not constitute legal or compliance advice; consult your organization's security and compliance teams before making remediation decisions. SEC.co assumes no liability for damages resulting from application or misapplication of this guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).