CVE-2026-44798: GitRepository Manipulation in Nautobot
平台
python
组件
nautobot
修复版本
3.1.2
CVE-2026-44798 is a security vulnerability affecting Nautobot versions up to 3.1.1. It allows a user with permissions to modify GitRepository records to directly manipulate the current_head field via the REST API. This manipulation can lead to misleading repository state or even prevent Nautobot from utilizing the repository, requiring manual remediation.
检测此 CVE 是否影响你的项目
上传你的 requirements.txt 文件,立即知道是否受影响。
影响与攻击场景翻译中…
The primary impact of CVE-2026-44798 is the potential for disruption and misrepresentation of repository data within Nautobot. An attacker who can add or modify GitRepository records can maliciously set the current_head field to point to a non-existent commit hash or an invalid value. This can effectively break Nautobot's ability to track the correct state of the repository, leading to incorrect data being displayed or used in workflows. While not a direct data breach, the manipulation of repository state can have significant operational consequences, potentially impacting deployments and automation processes. The blast radius is limited to the affected Nautobot instance and its associated repositories.
利用背景翻译中…
CVE-2026-44798 was published on May 13, 2026. Its CVSS score is 7.1 (HIGH). There are currently no publicly known proof-of-concept exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation. Active campaigns are not currently known.
威胁情报
漏洞利用状态
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 低 — 任何有效用户账户均可。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 无 — 无机密性影响。
- Integrity
- 低 — 攻击者可修改部分数据,影响有限。
- Availability
- 高 — 完全崩溃或资源耗尽,完全拒绝服务。
受影响的软件
时间线
- 发布日期
缓解措施和替代方案翻译中…
The recommended mitigation for CVE-2026-44798 is to upgrade to Nautobot version 3.1.2 or later, which includes the fix. If an immediate upgrade is not possible, consider restricting access to the GitRepository record modification functionality to only authorized personnel. Implement strict input validation on the currenthead field within the REST API to prevent the setting of invalid or unexpected values. Regularly audit GitRepository records for any suspicious changes. After upgrade, confirm by verifying the currenthead field on several GitRepository records reflects the expected latest commit.
修复方法翻译中…
暂无官方补丁。请查找临时解决方案或持续关注更新。
常见问题翻译中…
What is CVE-2026-44798 — GitRepository Manipulation in Nautobot?
CVE-2026-44798 is a HIGH severity vulnerability in Nautobot versions ≤3.1.1 that allows unauthorized modification of the current_head field in GitRepository records, potentially disrupting repository access or providing misleading state.
Am I affected by CVE-2026-44798 in Nautobot?
You are affected if you are running Nautobot version 3.1.1 or earlier. Check your version and upgrade as soon as possible to mitigate the risk.
How do I fix CVE-2026-44798 in Nautobot?
Upgrade to Nautobot version 3.1.2 or later. If immediate upgrade is not possible, restrict access to GitRepository modification and implement input validation.
Is CVE-2026-44798 being actively exploited?
Currently, there are no publicly known active exploitation campaigns or proof-of-concept exploits for CVE-2026-44798.
Where can I find the official Nautobot advisory for CVE-2026-44798?
Refer to the official Nautobot security advisory for detailed information and updates regarding CVE-2026-44798: [https://nautobot.io/security/advisories/](https://nautobot.io/security/advisories/)
检测此 CVE 是否影响你的项目
上传你的 requirements.txt 文件,立即知道是否受影响。
立即扫描您的Python项目 — 无需账户
Upload your requirements.txt and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...