Gratis scannen
HIGHCVE-2026-44797CVSS 8.5

CVE-2026-44797: SSRF in Nautobot ≤3.1.1

Platform

python

Component

nautobot

Opgelost in

3.1.2

Bekijk op NVD
Opslaan
Wordt vertaald naar uw taal…

CVE-2026-44797 describes a Server-Side Request Forgery (SSRF) vulnerability within Nautobot's Webhook functionality. This allows users with sufficient access to craft requests to unintended hosts and IP addresses, potentially leading to unauthorized access and data exposure. The vulnerability affects versions of Nautobot up to and including 3.1.1, and patches are available in versions 2.4.33 and 3.1.2.

Python

Detecteer deze CVE in je project

Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.

requirements.txt uploadenOndersteunde formaten: requirements.txt · Pipfile.lock

Impact en Aanvalsscenarioswordt vertaald…

The SSRF vulnerability in Nautobot arises from the ability of users to configure Webhooks that can initiate requests to arbitrary destinations. An attacker could leverage this to scan internal networks, access sensitive resources behind firewalls, or even interact with internal services that should not be publicly accessible. This could lead to data exfiltration, privilege escalation, or denial of service. The impact is amplified if the Nautobot instance is deployed in an environment with sensitive internal resources or if it's used to manage critical infrastructure. The ability to bypass access controls and directly interact with internal systems makes this a significant security risk.

Uitbuitingscontextwordt vertaald…

CVE-2026-44797 was published on May 13, 2026. Severity is rated HIGH with a CVSS score of 8.5. There is no indication of this vulnerability being actively exploited in the wild, nor is it currently listed on KEV or EPSS. Public proof-of-concept exploits are not currently available, but the SSRF nature of the vulnerability makes it a potential target for automated scanning and exploitation.

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N8.5HIGHAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredLowVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeChangedImpact buiten het getroffen onderdeelConfidentialityHighRisico op blootstelling van gevoelige dataIntegrityLowRisico op ongeautoriseerde gegevenswijzigingAvailabilityNoneRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Laag — elk geldig gebruikersaccount is voldoende.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
Confidentiality
Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
Integrity
Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
Availability
Geen — geen beschikbaarheidsimpact.

Getroffen Software

Componentnautobot
Leverancierosv
Maximumversie3.1.1
Opgelost in3.1.2

Tijdlijn

  1. Gepubliceerd

Mitigatie en Workaroundswordt vertaald…

The primary mitigation for CVE-2026-44797 is to upgrade to Nautobot version 2.4.33 or 3.1.2. These versions include fixes that restrict Webhook requests to HTTP or HTTPS schemes by default. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests from the Nautobot instance, blocking requests to suspicious or unauthorized destinations. Additionally, review existing Webhook configurations to identify and disable any that might be vulnerable. The new settings variables WEBHOOKALLOWEDSCHEMES can be used to further restrict allowed schemes.

Hoe te verhelpenwordt vertaald…

Geen officiële patch beschikbaar. Zoek naar tijdelijke oplossingen of monitor updates.

Veelgestelde vragenwordt vertaald…

What is CVE-2026-44797 — SSRF in Nautobot?

CVE-2026-44797 is a HIGH severity SSRF vulnerability affecting Nautobot versions up to 3.1.1. It allows attackers to make unauthorized requests through misconfigured Webhooks, potentially accessing internal resources.

Am I affected by CVE-2026-44797 in Nautobot?

If you are running Nautobot version 3.1.1 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade as soon as possible.

How do I fix CVE-2026-44797 in Nautobot?

Upgrade to Nautobot version 2.4.33 or 3.1.2. Configure the WEBHOOKALLOWEDSCHEMES setting to restrict allowed schemes and consider using a WAF as an interim measure.

Is CVE-2026-44797 being actively exploited?

There is currently no public evidence of CVE-2026-44797 being actively exploited, but the SSRF nature of the vulnerability warrants vigilance.

Where can I find the official Nautobot advisory for CVE-2026-44797?

Refer to the official Nautobot security advisories on their website or GitHub repository for the most up-to-date information and guidance regarding CVE-2026-44797.

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken
Python

Detecteer deze CVE in je project

Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.

requirements.txt uploadenOndersteunde formaten: requirements.txt · Pipfile.lock
livefree scan

Scan nu uw Python project — geen account

Upload your requirements.txt and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinue monitoringWhite-label reports

Sleep uw afhankelijkheidsbestand hierheen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...