HIGH 8.5

CVE-2026-44797: Nautobot Webhook SSRF Vulnerability – Patch to 2.4.33 or 3.1.2

Nautobot, a network automation and source-of-truth platform, contains a webhook configuration vulnerability that allows authenticated users to craft requests to internal hosts and IP addresses they should not be able to reach. This is functionally similar to server-side request forgery (SSRF) attacks, where the application itself becomes a proxy for malicious requests. An attacker with sufficient access could abuse this to scan internal networks, access restricted services, or exfiltrate data. The issue affects Nautobot versions prior to 2.4.33 and 3.1.2.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Weaknesses (CWE)
CWE-918
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF). This vulnerability is fixed in 2.4.33 and 3.1.2.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient validation of webhook destination URLs and associated network policies. Nautobot's webhook subsystem allows authenticated users to define callbacks to external or internal endpoints; without proper access controls and destination validation, a user can configure webhooks to target RFC 1918 addresses, loopback interfaces, or other administratively restricted ranges. This enables SSRF-class attacks where Nautobot itself performs requests on behalf of the attacker. The fix in versions 2.4.33 and 3.1.2 introduces stricter URL validation and network boundary enforcement to prevent webhook callbacks from reaching non-routable or internally reserved address spaces.

Business impact

Organizations deploying Nautobot as a critical network source of truth face elevated risk if untrusted or insufficiently monitored administrative accounts are present. A compromised admin account or an insider with webhook configuration privileges can pivot to internal services, bypass network segmentation, and potentially reach sensitive systems such as database servers, monitoring platforms, or other infrastructure not intended for direct external access. In multi-tenant or consultant-access scenarios, this risk multiplies. The high CVSS score reflects the broad blast radius when combined with network access control bypass.

Affected systems

Nautobot versions 2.x prior to 2.4.33 and 3.x prior to 3.1.2 are affected. Any deployment where untrusted or semi-trusted users have webhook configuration permissions is at heightened risk. Organizations using Nautobot in air-gapped or highly segmented networks may face lower practical risk, but those with flat or permissive internal networks should treat this as urgent.

Exploitability

Exploitation requires authenticated access and sufficient privileges to configure webhooks—typically an admin or privileged operator role. There is no publicly disclosed exploit code as of the advisory date, and the vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the barrier to exploitation is low once credentials are obtained: an attacker need only define a webhook pointing to an internal target. This makes credential compromise a primary attack vector in the threat chain.

Remediation

Upgrade Nautobot to version 2.4.33 or later for the 2.x branch, or 3.1.2 or later for the 3.x branch. These versions enforce network boundary validation on webhook destinations. Interim mitigations include restricting webhook configuration permissions to highly trusted personnel, implementing strong authentication and monitoring on admin accounts, and using network-level controls (e.g., egress filtering) to prevent Nautobot processes from reaching unintended internal services.

Patch guidance

Test patches in a pre-production environment to ensure no impact on existing webhook integrations. Review and validate all currently configured webhooks post-patch to confirm they target intended endpoints. If your organization has custom webhook handlers or integrations, verify they function correctly with the updated validation rules. After patching, audit webhook permissions to confirm only authorized users retain configuration rights.

Detection guidance

Monitor Nautobot logs and audit trails for unusual webhook creation or modification events, especially those involving internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, etc.). Track webhook execution logs for failed or suspicious callback attempts. Network monitoring can identify outbound connections from Nautobot to unexpected internal addresses. Correlate these signals with user access logs to identify compromised accounts or insider activity.

Why prioritize this

Although exploitability requires authentication, the severity is high due to the CVSS 8.5 score and the potential for network reconnaissance and lateral movement from a privileged but potentially compromised account. Organizations should prioritize patching based on: (1) sensitivity of internal systems reachable from Nautobot's network segment, (2) user count and trustworthiness of those with webhook permissions, and (3) overall network segmentation posture. High-risk environments should patch within 30 days; standard deployments within 60–90 days.

Risk score, explained

The CVSS 3.1 score of 8.5 (HIGH) reflects a network-accessible vulnerability with low attack complexity and high confidentiality impact. The score accounts for the requirement of valid credentials (PR:L) but also the broad scope of potential targets once access is gained (S:C). The integrity impact is rated as low because webhook abuse primarily enables reconnaissance and data exfiltration rather than direct data modification, though downstream exploitation remains possible.

Frequently asked questions

Does this vulnerability allow unauthenticated attacks?

No. An attacker must already possess valid credentials and sufficient privileges to configure webhooks in Nautobot. This is typically restricted to administrators or designated automation operators. However, credential compromise or insider threats remain viable attack vectors.

Can this be exploited to attack external targets or the internet?

The vulnerability is specific to SSRF-like behavior targeting hosts and networks that Nautobot itself can reach from its network position. It does not grant new outbound internet access but rather allows abuse of existing network paths to reach restricted internal destinations.

What is the difference between versions 2.4.33 and 3.1.2?

Both are the patched releases for their respective branches (2.x and 3.x). Version 3.x is the more recent major release line. Organizations on 2.x should upgrade to 2.4.33 at minimum; those able to move to 3.x should do so to benefit from newer features and longer support. Verify the upgrade path with your deployment guide.

Should we block all outbound connections from Nautobot?

Overly restrictive egress filtering may break legitimate webhook functionality. Instead, implement a whitelist of approved webhook destinations and use network policies to prevent traffic to RFC 1918 ranges and loopback addresses. Combine this with strong RBAC for webhook configuration.

This analysis is based on the publicly disclosed advisory and CVSS vector provided by the vendor. No exploit code or weaponized proof-of-concept has been evaluated. Organizations should verify patch applicability and conduct testing in their own environment. CVSS scores and vulnerability details may be updated as new information emerges; always consult the official Nautobot security advisories and CVE databases for the latest information. This document does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).