PatchSiren cyber security CVE debrief
CVE-2026-44794 nautobot CVE debrief
Nautobot, a Network Source of Truth and Network Automation Platform, contains an authorization bypass vulnerability in its REST API. Prior to versions 2.4.33 and 3.1.2, when creating or updating objects that use GenericForeignKey references (a Django pattern allowing polymorphic relationships to multiple content types), the API failed to enforce user 'view' permissions when validating object references. This means authenticated users with limited permissions could potentially discover or confirm the existence of objects they were not authorized to view by attempting to reference them through GenericForeignKey fields. The vulnerability stems from missing permission checks during reference validation, not during the actual data retrieval. This is classified as CWE-862 (Missing Authorization). The issue was fixed by implementing proper view permission enforcement in the REST API's GenericForeignKey handling. Organizations should upgrade to Nautobot 2.4.33 or 3.1.2 to remediate this vulnerability.
- Vendor
- nautobot
- Product
- Unknown
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations using Nautobot for network automation and infrastructure management, particularly those with multi-tenant deployments or strict role-based access control requirements where network topology or configuration data segmentation is critical
Technical summary
The vulnerability exists in Nautobot's REST API implementation of GenericForeignKey handling. GenericForeignKey is a Django ORM feature that allows a model to reference any other model (from a defined set of content types) through a combined content_type_id and object_id field pair. When validating these references during object creation or update operations, Nautobot's API serializers checked that the referenced object exists but did not verify that the requesting user had 'view' permission for that object. This allowed authenticated users to probe for the existence of objects across content types they could not otherwise access, constituting an information disclosure and authorization bypass. The fix implements proper permission checking using Nautobot's existing permission framework before accepting GenericForeignKey references.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade Nautobot to version 2.4.33 or 3.1.2 or later
- Review API access logs for unusual GenericForeignKey reference patterns by lower-privileged users
- Audit user permissions to ensure principle of least access is enforced
- Monitor for unauthorized object enumeration attempts via REST API
- Validate that custom plugins or extensions using GenericForeignKey also implement proper permission checks
Evidence notes
CVE published 2026-05-28. CVSS 5.4 (MEDIUM). Affects Nautobot prior to 2.4.33 and 3.1.2. Fixed in commits 36cde7148a207234de6212ec074f321dbc9d1b5b and 9918bdb9bcf1eb42cda72c344f420a64ef7665f1. Official GitHub Security Advisory GHSA-wpxj-44w3-2j6x published by [email protected].
Official resources
2026-05-28