Description
NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user.
Published: 2026-05-04
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NetBox versions 4.3.5 through 4.5.4 contain a flaw in the RenderTemplateMixin.get_environment_params() method that allows an authenticated user with exporttemplate or configtemplate permissions to inject arbitrary Python callables into the environment_params field. By setting the finalize parameter to a callable such as subprocess.getoutput, the attacker can bypass the Jinja2 SandboxedEnvironment and execute code outside the sandbox, resulting in remote code execution under the NetBox service user. This capability compromises confidentiality, integrity, and availability of the entire NetBox instance.

Affected Systems

The vulnerability affects the NetBox application published by netbox-community, specifically all releases from 4.3.5 to 4.5.4. It requires the target to have users who possess exporttemplate or configtemplate permissions; therefore, any organization running an affected NetBox version with such privileged users is at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity level, and although the EPSS score is currently unavailable, the lack of a KEV listing does not diminish the potential impact. Savvy attackers with legitimate access to a NetBox instance can leverage this flaw to run arbitrary code, with the exploit likely carried out by a credentialed user performing an export template action. Because the vulnerability is triggered by a specific permission set, the attack surface is limited to authenticated users, but the damage potential remains significant. No publicly documented exploit code is yet released, but the detailed advisory suggests the feasibility of exploitation.

Generated by OpenCVE AI on May 4, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NetBox to a version later than 4.5.4, such as 4.5.5 or newer, where the RenderTemplateMixin is fixed.
  • If an update is not immediately possible, revoke exporttemplate and configtemplate permissions from all users until the vulnerability is patched.
  • Audit existing template configurations and remove or sanitize any malicious environment_params entries.
  • Enable application logging for template rendering events and monitor for unusual finalize calls or error messages.

Generated by OpenCVE AI on May 4, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Netbox
Netbox netbox
Vendors & Products Netbox
Netbox netbox

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user.
Title NetBox 4.3.5 - 4.5.4 RCE via RenderTemplateMixin
Weaknesses CWE-183
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Netbox Netbox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-04T16:59:25.855Z

Reserved: 2026-03-04T15:39:26.872Z

Link: CVE-2026-29514

cve-icon Vulnrichment

Updated: 2026-05-04T16:59:20.436Z

cve-icon NVD

Status : Received

Published: 2026-05-04T17:16:22.880

Modified: 2026-05-04T17:16:22.880

Link: CVE-2026-29514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:44:06Z

Weaknesses