CVE-2026-44794: Authorization Bypass in Nautobot

The vulnerability stems from Nautobot's REST API failing to enforce user view permissions when validating references within GenericForeignKey relationships. An attacker with permission to create or update objects containing these references, but lacking permission to view the referenced objects, can bypass access controls. For instance, a user who can modify ImageAttachment records but lacks permission to view Device records could potentially access sensitive device information. This could expose confidential network configurations, credentials, or other sensitive data. The blast radius extends to any data accessible through these improperly validated references, potentially impacting multiple modules and workflows within Nautobot.

1. प्रकाशित2026-05-13

The primary mitigation is to upgrade to Nautobot version 3.1.2 or later, which includes the fix for this authorization bypass. If upgrading immediately is not feasible, consider implementing stricter access control policies within Nautobot to limit the permissions granted to users who create or update objects with GenericForeignKey references. Review and restrict access to sensitive objects referenced by these relationships. While a WAF or proxy cannot directly address this vulnerability, they can be configured to monitor for suspicious API requests related to object creation and updates, potentially detecting exploitation attempts. After upgrading, confirm the fix by attempting to access a protected object through a user account lacking the necessary view permissions; access should be denied.