Description
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF). This vulnerability is fixed in 2.4.33 and 3.1.2.
Published: 2026-05-28
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows users with sufficient Nautobot privileges to configure webhook definitions that can issue HTTP requests to arbitrary hosts and IP addresses. This capability effectively results in a server‑side request forgery (SSRF) which could let an attacker read internal network resources, exfiltrate sensitive data, or interact with internal services without direct network access. The weakness is identified as CWE‑918.

Affected Systems

Vendor Nautobot. Product Nautobot Network Source of Truth and Automation Platform. Affected releases are all versions prior to 2.4.33 for the 2.x line and before 3.1.2 for the 3.x line; audited fixes are available in those releases.

Risk and Exploitability

The CVSS base score of 8.5 marks this as high severity. No EPSS score is supplied, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker have the ability to create or modify webhook definitions, typically implying at least a high‑privileged Nautobot user. Once the user defines a malicious webhook, the server performs outbound requests to attacker‑chosen destinations, enabling further lateral movement or data exfiltration within the internal network.

Generated by OpenCVE AI on May 28, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nautobot to version 2.4.33 or later on the 2.x branch, or 3.1.2 or later on the 3.x branch, where the issue is fixed.
  • If an immediate upgrade is not feasible, reduce the scope of permissions for users that can create or edit webhook definitions, restricting the ability to configure outbound URLs to only necessary endpoints.
  • Implement network segmentation or firewall rules that block outbound traffic from Nautobot’s service environment to privileged internal hosts, cutting off the SSRF attack surface even if a malicious webhook is still created.

Generated by OpenCVE AI on May 28, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c35q-vxrp-ph26 Nautobot: Webhook definitions could be used for server-side request forgery (SSRF)
History

Thu, 28 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Nautobot
Nautobot nautobot
Vendors & Products Nautobot
Nautobot nautobot

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF). This vulnerability is fixed in 2.4.33 and 3.1.2.
Title Nautobot: Webhook definitions could be used for server-side request forgery (SSRF)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Nautobot Nautobot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T16:59:06.143Z

Reserved: 2026-05-07T19:20:44.693Z

Link: CVE-2026-44797

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T18:16:33.837

Modified: 2026-05-28T18:38:35.797

Link: CVE-2026-44797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T20:00:14Z

Weaknesses