Description
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.
Published: 2026-05-28
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nautobot, a network automation platform, allowed the REST API to create or update objects that contain a GenericForeignKey reference without enforcing the user’s “view” permissions. The vulnerability permits an attacker with API access to reference objects that they should not be able to see, granting them elevated visibility into protected data. This missing authorization flaw is identified as CWE‑862 and can lead to privilege escalation by exposing sensitive object relationships.

Affected Systems

The issue affected all versions of Nautobot prior to 2.4.33 and 3.1.2. Users deploying Nautobot 2.4.32, 2.4.31, 3.1.1 or earlier must be aware that the REST API can create improper GenericForeignKey links, potentially leaking confidential information.

Risk and Exploitability

The CVSS score of 5.4 classifies this as a moderate risk vulnerability. EPSS data is unavailable and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires API access and the ability to create or update objects; the attack vector is likely client‑side via the exposed API endpoints. Although the current publicly available evidence does not indicate widespread exploitation, the lack of permission checking represents a significant opportunity for attackers to gain unauthorized access to back-end objects.

Generated by OpenCVE AI on May 28, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nautobot to version 2.4.33 or later, or 3.1.2 or later, where the REST API enforces view permissions on GenericForeignKey references.
  • After upgrading, audit the API endpoints that create or update objects containing GenericForeignKey fields to confirm that proper permission checks are in place.
  • If an upgrade is not immediately possible, restrict access to the REST API for users who should not be able to create or modify GenericForeignKey references, and review existing references to ensure no unauthorized links exist.

Generated by OpenCVE AI on May 28, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wpxj-44w3-2j6x Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference
History

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Nautobot
Nautobot nautobot
Vendors & Products Nautobot
Nautobot nautobot

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.
Title Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Nautobot Nautobot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T17:01:21.400Z

Reserved: 2026-05-07T19:20:44.693Z

Link: CVE-2026-44794

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T18:16:33.203

Modified: 2026-05-28T18:38:35.797

Link: CVE-2026-44794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:30:16Z

Weaknesses