Gratis scannen
HIGHCVE-2026-44798CVSS 7.1

CVE-2026-44798: GitRepository Manipulation in Nautobot

Platform

python

Component

nautobot

Opgelost in

3.1.2

Bekijk op NVD
Opslaan
Wordt vertaald naar uw taal…

CVE-2026-44798 is a security vulnerability affecting Nautobot versions up to 3.1.1. It allows a user with permissions to modify GitRepository records to directly manipulate the current_head field via the REST API. This manipulation can lead to misleading repository state or even prevent Nautobot from utilizing the repository, requiring manual remediation.

Python

Detecteer deze CVE in je project

Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.

requirements.txt uploadenOndersteunde formaten: requirements.txt · Pipfile.lock

Impact en Aanvalsscenarioswordt vertaald…

The primary impact of CVE-2026-44798 is the potential for disruption and misrepresentation of repository data within Nautobot. An attacker who can add or modify GitRepository records can maliciously set the current_head field to point to a non-existent commit hash or an invalid value. This can effectively break Nautobot's ability to track the correct state of the repository, leading to incorrect data being displayed or used in workflows. While not a direct data breach, the manipulation of repository state can have significant operational consequences, potentially impacting deployments and automation processes. The blast radius is limited to the affected Nautobot instance and its associated repositories.

Uitbuitingscontextwordt vertaald…

CVE-2026-44798 was published on May 13, 2026. Its CVSS score is 7.1 (HIGH). There are currently no publicly known proof-of-concept exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation. Active campaigns are not currently known.

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H7.1HIGHAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredLowVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeUnchangedImpact buiten het getroffen onderdeelConfidentialityNoneRisico op blootstelling van gevoelige dataIntegrityLowRisico op ongeautoriseerde gegevenswijzigingAvailabilityHighRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Laag — elk geldig gebruikersaccount is voldoende.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality
Geen — geen vertrouwelijkheidsimpact.
Integrity
Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
Availability
Hoog — volledige crash of uitputting van resources. Totale denial of service.

Getroffen Software

Componentnautobot
Leverancierosv
Maximumversie3.1.1
Opgelost in3.1.2

Tijdlijn

  1. Gepubliceerd

Mitigatie en Workaroundswordt vertaald…

The recommended mitigation for CVE-2026-44798 is to upgrade to Nautobot version 3.1.2 or later, which includes the fix. If an immediate upgrade is not possible, consider restricting access to the GitRepository record modification functionality to only authorized personnel. Implement strict input validation on the currenthead field within the REST API to prevent the setting of invalid or unexpected values. Regularly audit GitRepository records for any suspicious changes. After upgrade, confirm by verifying the currenthead field on several GitRepository records reflects the expected latest commit.

Hoe te verhelpenwordt vertaald…

Geen officiële patch beschikbaar. Zoek naar tijdelijke oplossingen of monitor updates.

Veelgestelde vragenwordt vertaald…

What is CVE-2026-44798 — GitRepository Manipulation in Nautobot?

CVE-2026-44798 is a HIGH severity vulnerability in Nautobot versions ≤3.1.1 that allows unauthorized modification of the current_head field in GitRepository records, potentially disrupting repository access or providing misleading state.

Am I affected by CVE-2026-44798 in Nautobot?

You are affected if you are running Nautobot version 3.1.1 or earlier. Check your version and upgrade as soon as possible to mitigate the risk.

How do I fix CVE-2026-44798 in Nautobot?

Upgrade to Nautobot version 3.1.2 or later. If immediate upgrade is not possible, restrict access to GitRepository modification and implement input validation.

Is CVE-2026-44798 being actively exploited?

Currently, there are no publicly known active exploitation campaigns or proof-of-concept exploits for CVE-2026-44798.

Where can I find the official Nautobot advisory for CVE-2026-44798?

Refer to the official Nautobot security advisory for detailed information and updates regarding CVE-2026-44798: [https://nautobot.io/security/advisories/](https://nautobot.io/security/advisories/)

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken
Python

Detecteer deze CVE in je project

Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.

requirements.txt uploadenOndersteunde formaten: requirements.txt · Pipfile.lock
livefree scan

Scan nu uw Python project — geen account

Upload your requirements.txt and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinue monitoringWhite-label reports

Sleep uw afhankelijkheidsbestand hierheen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...