CVE-2026-44796 nautobot CVE debrief

Who should care

Organizations running Nautobot instances for network automation and documentation, particularly those with multi-user environments where non-administrative users have access to bulk editing features. Security teams should prioritize patching due to the low barrier to exploitation and high availability impact.

Technical summary

The vulnerability exists in Nautobot's UI object-bulk-rename functionality where user-supplied regular expressions in the find field are evaluated without proper safeguards against catastrophic backtracking. When use_regex is enabled, a maliciously crafted pattern such as one with nested quantifiers (e.g., (a+)+) can cause exponential execution time, consuming excessive CPU resources and rendering the application unresponsive for all users. The attack requires low-privileged authenticated access and can be executed remotely without user interaction. The fix implements proper regex validation and/or timeout mechanisms to prevent unbounded execution.

Defensive priority

medium

Recommended defensive actions

• Upgrade Nautobot to version 2.4.33 or 3.1.2 or later
• If immediate patching is not feasible, restrict access to bulk-rename endpoints to trusted administrative users only
• Monitor application performance for unusual CPU consumption patterns that may indicate ReDoS exploitation attempts
• Review web server and application logs for suspicious regex patterns in rename operations
• Consider implementing input validation or rate limiting on bulk-rename functionality as a temporary mitigation

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-qrpw-gjvh-x5gm. Fix commits and release tags verified. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Weaknesses: CWE-400, CWE-1333.

Official resources