Description
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value. This vulnerability is fixed in 2.4.33 and 3.1.2.
Published: 2026-05-28
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Nautobot platform allowed a REST API user with permission to modify GitRepository objects to set the current_head field directly. This field is intended to be managed internally and not editable by end users. By changing it, an attacker can force Nautobot’s local clone to checkout a commit that is not the latest on the target branch or point it to a nonexistent or malformed commit hash. The resulting misleading state or inability to access the repository undermines the accuracy of network automation tasks and can lead to incorrect device configuration changes.

Affected Systems

Nautobot Network Automation Platform distributes versions before 2.4.33 and 3.1.2 as affected. The vulnerability applies to any instance where REST API write access to GitRepository models is enabled. No additional products are listed.

Risk and Exploitability

The CVSS score is 7.1, indicating a moderate to high risk. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Attackers must first authenticate to the REST API and have permissions to edit GitRepository records, after which they can set an arbitrary current_head value. Patch releases 2.4.33 and 3.1.2 fix the issue by making current_head read‑only via the API.

Generated by OpenCVE AI on May 28, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nautobot to version 2.4.33 or later, or to 3.1.2 or later, which removes the writable current_head field in the REST API.
  • Restrict REST API permissions so only trusted administrators can edit GitRepository objects, and ensure that all other users use read‑only access.
  • Verify that all existing GitRepository objects have current_head pointing to a valid commit hash after the upgrade, and correct any inconsistencies manually if necessary.

Generated by OpenCVE AI on May 28, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p3hx-pwf3-j8wr Nautobot: GitRepository.current_head field should not be writable through REST API
History

Thu, 28 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Nautobot
Nautobot nautobot
Vendors & Products Nautobot
Nautobot nautobot

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Networktocode
Networktocode nautobot
CPEs cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*
Vendors & Products Networktocode
Networktocode nautobot

Thu, 28 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value. This vulnerability is fixed in 2.4.33 and 3.1.2.
Title Nautobot: GitRepository.current_head field should not be writable through REST API
Weaknesses CWE-471
CWE-749
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Nautobot Nautobot
Networktocode Nautobot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T19:02:15.222Z

Reserved: 2026-05-07T19:20:44.693Z

Link: CVE-2026-44798

cve-icon Vulnrichment

Updated: 2026-05-28T19:01:58.961Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T18:16:34.007

Modified: 2026-05-28T19:30:57.857

Link: CVE-2026-44798

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T20:00:14Z

Weaknesses