CVE-2026-44794 | THREATINT

Description

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-28 | Updated 2026-05-30 | Assigner GitHub_M

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-862: Missing Authorization

Product status

>= 3.0.0a2, < 3.1.2

affected

< 2.4.33

affected

References

github.com/...utobot/security/advisories/GHSA-wpxj-44w3-2j6x

github.com/...ommit/36cde7148a207234de6212ec074f321dbc9d1b5b

github.com/...ommit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1

github.com/nautobot/nautobot/releases/tag/v2.4.33

github.com/nautobot/nautobot/releases/tag/v3.1.2

cve.org (CVE-2026-44794)

nvd.nist.gov (CVE-2026-44794)

Download JSON