免费扫描
MEDIUMCVE-2026-44796CVSS 6.5

CVE-2026-44796: DoS in Nautobot

平台

python

组件

nautobot

修复版本

3.1.2

在NVD查看
保存
正在翻译为您的语言…

CVE-2026-44796 describes a Denial of Service (DoS) vulnerability discovered in Nautobot. Attackers can trigger this vulnerability by crafting malicious regular expressions within the find field of UI object-bulk-rename endpoints, combined with the use_regex flag. This can lead to an application-wide denial of service, rendering the Nautobot interface unresponsive. The vulnerability affects versions of Nautobot up to 3.1.1, and a fix is available in version 3.1.2.

Python

检测此 CVE 是否影响你的项目

上传你的 requirements.txt 文件,立即知道是否受影响。

上传 requirements.txt支持的格式: requirements.txt · Pipfile.lock

影响与攻击场景翻译中…

The primary impact of CVE-2026-44796 is a denial of service. A successful exploit can overwhelm the Nautobot application with regular expression evaluation, preventing legitimate users from accessing and managing network devices and configurations. This disruption can significantly impact network operations and troubleshooting efforts. The vulnerability lies within the UI object-bulk-rename endpoints, specifically when the use_regex flag is enabled alongside a malicious find parameter. The regular expression engine's inability to handle complex or poorly formed patterns can lead to excessive resource consumption and application instability. The blast radius is the entire Nautobot application, potentially impacting all users.

利用背景翻译中…

CVE-2026-44796 was published on May 13, 2026. The vulnerability's severity is rated as Medium. No public proof-of-concept (POC) code has been publicly disclosed at the time of writing. There are no indications of active exploitation campaigns targeting this vulnerability. The NVD and CISA databases reflect the publication date.

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H6.5MEDIUMAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityNone数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
无 — 无完整性影响。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件nautobot
供应商osv
最高版本3.1.1
修复版本3.1.2

时间线

  1. 发布日期

缓解措施和替代方案翻译中…

The recommended mitigation for CVE-2026-44796 is to upgrade to Nautobot version 3.1.2 or later. This version introduces a general-purpose timeout to the affected endpoints, preventing regular expression evaluation from continuing indefinitely. If upgrading is not immediately feasible, consider restricting access to the /dcim/interfaces/rename/ and similar endpoints to trusted users only. While a direct workaround isn't available, careful input validation on the find field could offer limited protection, but is not a substitute for patching. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious regular expression and verifying that the request times out as expected.

修复方法翻译中…

暂无官方补丁。请查找临时解决方案或持续关注更新。

常见问题翻译中…

What is CVE-2026-44796 — DoS in Nautobot?

CVE-2026-44796 is a Denial of Service vulnerability in Nautobot affecting versions up to 3.1.1. It allows attackers to cause a denial of service by exploiting regular expression handling in UI bulk-rename endpoints.

Am I affected by CVE-2026-44796 in Nautobot?

You are affected if you are running Nautobot version 3.1.1 or earlier. The vulnerability lies in how the application handles regular expressions in specific UI endpoints.

How do I fix CVE-2026-44796 in Nautobot?

Upgrade to Nautobot version 3.1.2 or later. This version includes a timeout mechanism to prevent indefinite regular expression evaluation and mitigate the DoS vulnerability.

Is CVE-2026-44796 being actively exploited?

There are currently no public reports or indications of active exploitation campaigns targeting CVE-2026-44796.

Where can I find the official Nautobot advisory for CVE-2026-44796?

Refer to the Nautobot security advisories page for the latest information and official announcements regarding CVE-2026-44796: [https://nautobot.io/security/](https://nautobot.io/security/)

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE
Python

检测此 CVE 是否影响你的项目

上传你的 requirements.txt 文件,立即知道是否受影响。

上传 requirements.txt支持的格式: requirements.txt · Pipfile.lock
live免费扫描

立即扫描您的Python项目 — 无需账户

Upload your requirements.txt and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...