無料スキャン
MEDIUMCVE-2026-44794CVSS 5.4

CVE-2026-44794: Authorization Bypass in Nautobot

プラットフォーム

python

コンポーネント

nautobot

修正版

3.1.2

NVDで見る
保存
あなたの言語に翻訳中…

CVE-2026-44794 describes an authorization bypass vulnerability in Nautobot versions up to 3.1.1. This flaw allows unauthorized access to data through improper handling of inter-object references using GenericForeignKey. Successful exploitation could lead to data breaches and compromise network automation workflows. The vulnerability was published on May 13, 2026, and a fix is available in version 3.1.2.

Python

このCVEがあなたのプロジェクトに影響するか確認

requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。

requirements.txt をアップロード対応フォーマット: requirements.txt · Pipfile.lock

影響と攻撃シナリオ翻訳中…

The vulnerability stems from Nautobot's REST API failing to enforce user view permissions when validating references within GenericForeignKey relationships. An attacker with permission to create or update objects containing these references, but lacking permission to view the referenced objects, can bypass access controls. For instance, a user who can modify ImageAttachment records but lacks permission to view Device records could potentially access sensitive device information. This could expose confidential network configurations, credentials, or other sensitive data. The blast radius extends to any data accessible through these improperly validated references, potentially impacting multiple modules and workflows within Nautobot.

悪用の状況翻訳中…

The vulnerability's public disclosure date is May 13, 2026. Its severity is rated as medium (CVSS 5.4). There is no indication of this vulnerability being actively exploited in the wild or appearing on KEV/EPSS at the time of writing. Public proof-of-concept exploits are not currently available, but the nature of the authorization bypass makes it likely that such exploits will emerge.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N5.4MEDIUMAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredLow攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityLow機密データ漏洩のリスクIntegrityLow不正データ改ざんのリスクAvailabilityNoneサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
低 — 有効なユーザーアカウントがあれば十分。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
低 — 一部データへの部分的アクセス。
Integrity
低 — 限定的な範囲でデータ変更可能。
Availability
なし — 可用性への影響なし。

影響を受けるソフトウェア

コンポーネントnautobot
ベンダーosv
最大バージョン3.1.1
修正版3.1.2

タイムライン

  1. 公開日

緩和策と回避策翻訳中…

The primary mitigation is to upgrade to Nautobot version 3.1.2 or later, which includes the fix for this authorization bypass. If upgrading immediately is not feasible, consider implementing stricter access control policies within Nautobot to limit the permissions granted to users who create or update objects with GenericForeignKey references. Review and restrict access to sensitive objects referenced by these relationships. While a WAF or proxy cannot directly address this vulnerability, they can be configured to monitor for suspicious API requests related to object creation and updates, potentially detecting exploitation attempts. After upgrading, confirm the fix by attempting to access a protected object through a user account lacking the necessary view permissions; access should be denied.

修正方法翻訳中…

公式パッチはありません。回避策を確認するか、アップデートを監視してください。

よくある質問翻訳中…

What is CVE-2026-44794 — Authorization Bypass in Nautobot?

CVE-2026-44794 is a medium severity vulnerability in Nautobot versions up to 3.1.1 that allows unauthorized access to data through improper handling of object references. Attackers can bypass access controls and potentially view sensitive information.

Am I affected by CVE-2026-44794 in Nautobot?

If you are running Nautobot versions 3.1.1 or earlier, you are potentially affected. Assess your usage of GenericForeignKey relationships to determine the scope of the risk.

How do I fix CVE-2026-44794 in Nautobot?

Upgrade to Nautobot version 3.1.2 or later to resolve the vulnerability. Review and tighten access control policies as an interim measure.

Is CVE-2026-44794 being actively exploited?

There is currently no evidence of active exploitation in the wild, but the vulnerability's nature suggests potential for future exploitation.

Where can I find the official Nautobot advisory for CVE-2026-44794?

Refer to the official Nautobot security advisories on their website or GitHub repository for the latest information and updates regarding CVE-2026-44794.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
Python

このCVEがあなたのプロジェクトに影響するか確認

requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。

requirements.txt をアップロード対応フォーマット: requirements.txt · Pipfile.lock
稼働中無料スキャン

Pythonプロジェクトを今すぐスキャン — アカウント不要

Upload your requirements.txt and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...