免费扫描

此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

HIGHCVE-2026-44797CVSS 8.5

CVE-2026-44797: SSRF in Nautobot ≤3.1.1

翻译中…

平台

python

组件

nautobot

修复版本

3.1.2

在NVD查看
保存
正在翻译为您的语言…

CVE-2026-44797 describes a Server-Side Request Forgery (SSRF) vulnerability within Nautobot's Webhook functionality. This allows users with sufficient access to craft requests to unintended hosts and IP addresses, potentially leading to unauthorized access and data exposure. The vulnerability affects versions of Nautobot up to and including 3.1.1, and patches are available in versions 2.4.33 and 3.1.2.

Python

检测此 CVE 是否影响你的项目

上传你的 requirements.txt 文件,立即知道是否受影响。

上传 requirements.txt支持的格式: requirements.txt · Pipfile.lock

影响与攻击场景翻译中…

The SSRF vulnerability in Nautobot arises from the ability of users to configure Webhooks that can initiate requests to arbitrary destinations. An attacker could leverage this to scan internal networks, access sensitive resources behind firewalls, or even interact with internal services that should not be publicly accessible. This could lead to data exfiltration, privilege escalation, or denial of service. The impact is amplified if the Nautobot instance is deployed in an environment with sensitive internal resources or if it's used to manage critical infrastructure. The ability to bypass access controls and directly interact with internal systems makes this a significant security risk.

利用背景翻译中…

CVE-2026-44797 was published on May 13, 2026. Severity is rated HIGH with a CVSS score of 8.5. There is no indication of this vulnerability being actively exploited in the wild, nor is it currently listed on KEV or EPSS. Public proof-of-concept exploits are not currently available, but the SSRF nature of the vulnerability makes it a potential target for automated scanning and exploitation.

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N8.5HIGHAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件nautobot
供应商osv
最高版本3.1.1
修复版本3.1.2

时间线

  1. 发布日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-44797 is to upgrade to Nautobot version 2.4.33 or 3.1.2. These versions include fixes that restrict Webhook requests to HTTP or HTTPS schemes by default. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests from the Nautobot instance, blocking requests to suspicious or unauthorized destinations. Additionally, review existing Webhook configurations to identify and disable any that might be vulnerable. The new settings variables WEBHOOKALLOWEDSCHEMES can be used to further restrict allowed schemes.

修复方法翻译中…

暂无官方补丁。请查找临时解决方案或持续关注更新。

常见问题翻译中…

What is CVE-2026-44797 — SSRF in Nautobot?

CVE-2026-44797 is a HIGH severity SSRF vulnerability affecting Nautobot versions up to 3.1.1. It allows attackers to make unauthorized requests through misconfigured Webhooks, potentially accessing internal resources.

Am I affected by CVE-2026-44797 in Nautobot?

If you are running Nautobot version 3.1.1 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade as soon as possible.

How do I fix CVE-2026-44797 in Nautobot?

Upgrade to Nautobot version 2.4.33 or 3.1.2. Configure the WEBHOOKALLOWEDSCHEMES setting to restrict allowed schemes and consider using a WAF as an interim measure.

Is CVE-2026-44797 being actively exploited?

There is currently no public evidence of CVE-2026-44797 being actively exploited, but the SSRF nature of the vulnerability warrants vigilance.

Where can I find the official Nautobot advisory for CVE-2026-44797?

Refer to the official Nautobot security advisories on their website or GitHub repository for the most up-to-date information and guidance regarding CVE-2026-44797.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE
Python

检测此 CVE 是否影响你的项目

上传你的 requirements.txt 文件,立即知道是否受影响。

上传 requirements.txt支持的格式: requirements.txt · Pipfile.lock
live免费扫描

立即扫描您的Python项目 — 无需账户

Upload your requirements.txt and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...

CVE-2026-44797 — Vulnerability Details | NextGuard