Escanear gratis
MEDIUMCVE-2026-44796CVSS 6.5

CVE-2026-44796: DoS in Nautobot

Plataforma

python

Componente

nautobot

Corregido en

3.1.2

Ver en NVD
Guardar
Traduciendo a tu idioma…

CVE-2026-44796 describes a Denial of Service (DoS) vulnerability discovered in Nautobot. Attackers can trigger this vulnerability by crafting malicious regular expressions within the find field of UI object-bulk-rename endpoints, combined with the use_regex flag. This can lead to an application-wide denial of service, rendering the Nautobot interface unresponsive. The vulnerability affects versions of Nautobot up to 3.1.1, and a fix is available in version 3.1.2.

Python

Detecta esta CVE en tu proyecto

Sube tu archivo requirements.txt y te decimos al instante si estás afectado.

Subir requirements.txtFormatos soportados: requirements.txt · Pipfile.lock

Impacto y Escenarios de Ataquetraduciendo…

The primary impact of CVE-2026-44796 is a denial of service. A successful exploit can overwhelm the Nautobot application with regular expression evaluation, preventing legitimate users from accessing and managing network devices and configurations. This disruption can significantly impact network operations and troubleshooting efforts. The vulnerability lies within the UI object-bulk-rename endpoints, specifically when the use_regex flag is enabled alongside a malicious find parameter. The regular expression engine's inability to handle complex or poorly formed patterns can lead to excessive resource consumption and application instability. The blast radius is the entire Nautobot application, potentially impacting all users.

Contexto de Explotacióntraduciendo…

CVE-2026-44796 was published on May 13, 2026. The vulnerability's severity is rated as Medium. No public proof-of-concept (POC) code has been publicly disclosed at the time of writing. There are no indications of active exploitation campaigns targeting this vulnerability. The NVD and CISA databases reflect the publication date.

Inteligencia de Amenazas

Estado del Exploit

Prueba de ConceptoDesconocido
CISA KEVNO
Exposición en InternetAlta

Vector CVSS

INTELIGENCIA DE AMENAZAS· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5MEDIUMAttack VectorNetworkCómo el atacante alcanza el objetivoAttack ComplexityLowCondiciones necesarias para explotarPrivileges RequiredLowNivel de autenticación requeridoUser InteractionNoneSi la víctima debe realizar una acciónScopeUnchangedImpacto más allá del componente afectadoConfidentialityNoneRiesgo de exposición de datos sensiblesIntegrityNoneRiesgo de modificación no autorizada de datosAvailabilityHighRiesgo de interrupción del servicionextguardhq.com · Puntuación Base CVSS v3.1
¿Qué significan estas métricas?
Attack Vector
Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
Attack Complexity
Baja — sin condiciones especiales. El atacante puede explotar de forma confiable sin configuraciones raras.
Privileges Required
Bajo — cualquier cuenta de usuario válida es suficiente.
User Interaction
Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
Scope
Sin cambio — el impacto se limita al componente vulnerable.
Confidentiality
Ninguno — sin impacto en confidencialidad.
Integrity
Ninguno — sin impacto en integridad.
Availability
Alto — caída completa o agotamiento de recursos. Denegación de servicio total.

Software Afectado

Componentenautobot
Proveedorosv
Versión máxima3.1.1
Corregido en3.1.2

Cronología

  1. Publicada

Mitigación y Workaroundstraduciendo…

The recommended mitigation for CVE-2026-44796 is to upgrade to Nautobot version 3.1.2 or later. This version introduces a general-purpose timeout to the affected endpoints, preventing regular expression evaluation from continuing indefinitely. If upgrading is not immediately feasible, consider restricting access to the /dcim/interfaces/rename/ and similar endpoints to trusted users only. While a direct workaround isn't available, careful input validation on the find field could offer limited protection, but is not a substitute for patching. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious regular expression and verifying that the request times out as expected.

Cómo corregirlotraduciendo…

Sin parche oficial disponible. Busca alternativas o monitorea actualizaciones.

Preguntas frecuentestraduciendo…

What is CVE-2026-44796 — DoS in Nautobot?

CVE-2026-44796 is a Denial of Service vulnerability in Nautobot affecting versions up to 3.1.1. It allows attackers to cause a denial of service by exploiting regular expression handling in UI bulk-rename endpoints.

Am I affected by CVE-2026-44796 in Nautobot?

You are affected if you are running Nautobot version 3.1.1 or earlier. The vulnerability lies in how the application handles regular expressions in specific UI endpoints.

How do I fix CVE-2026-44796 in Nautobot?

Upgrade to Nautobot version 3.1.2 or later. This version includes a timeout mechanism to prevent indefinite regular expression evaluation and mitigate the DoS vulnerability.

Is CVE-2026-44796 being actively exploited?

There are currently no public reports or indications of active exploitation campaigns targeting CVE-2026-44796.

Where can I find the official Nautobot advisory for CVE-2026-44796?

Refer to the Nautobot security advisories page for the latest information and official announcements regarding CVE-2026-44796: [https://nautobot.io/security/](https://nautobot.io/security/)

¿Tu proyecto está afectado?

Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.

Escanear gratisBuscar CVEs
Python

Detecta esta CVE en tu proyecto

Sube tu archivo requirements.txt y te decimos al instante si estás afectado.

Subir requirements.txtFormatos soportados: requirements.txt · Pipfile.lock
liveescaneo gratuito

Escanea tu proyecto Python ahora — sin cuenta

Sube tu requirements.txt y recibís el reporte de vulnerabilidades al instante. Sin cuenta. Subir el archivo es solo el inicio: con una cuenta tenés monitoreo continuo, alertas en Slack/email, multi-proyecto y reportes white-label.

Escaneo manualAlertas en Slack/emailMonitoreo continuoReportes white-label

Arrastra y suelta tu archivo de dependencias

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...