PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44798 Networktocode CVE debrief

A vulnerability in Nautobot, a Network Source of Truth and Network Automation Platform, allows authenticated users with GitRepository modification privileges to manipulate repository state through unauthorized API field access. The `current_head` field, intended for internal use only, can be directly set via REST API calls. This enables attackers to force Nautobot's local repository clones to checkout arbitrary commit hashes rather than the latest commit on the configured branch. Consequences include operational disruption from stale or missing configuration data, potential complete repository unavailability if a nonexistent or malformed hash is supplied, and misleading system state that could affect downstream automation workflows. The vulnerability stems from improper access control on an internal field (CWE-471, CWE-749). Fixed versions restrict `current_head` to read-only access through the API, ensuring only Nautobot's internal synchronization mechanisms can update this value.

Vendor
Networktocode
Product
Nautobot
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations using Nautobot for network automation and configuration management, particularly those with delegated GitRepository administration to non-core infrastructure teams. Security teams monitoring for API abuse or supply chain integrity risks in network automation pipelines. Operations teams relying on Nautobot's Git synchronization for accurate network state representation.

Technical summary

The Nautobot REST API exposes the `current_head` field on GitRepository records without proper write protection. Authenticated users with add/change permissions can submit PATCH/PUT requests to directly set this field to arbitrary commit hashes. Nautobot uses `current_head` to track which commit is checked out in its local repository clones. When externally modified, the system may checkout stale commits, breaking configuration synchronization, or fail entirely if the hash is invalid. The fix implements read-only serialization for `current_head` in the API, ensuring only internal repository synchronization tasks can update this value.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to Nautobot 2.4.33 or 3.1.2 or later to obtain the fix that restricts current_head to read-only API access
  • Audit GitRepository records for unexpected current_head values if suspicious activity is suspected prior to patching
  • Review API access logs for unauthorized PATCH or PUT requests targeting GitRepository endpoints with current_head in request bodies
  • Verify repository synchronization health after upgrading by checking that current_head reflects the latest commit on configured branches
  • Restrict GitRepository modification privileges to only essential administrative accounts as a defense-in-depth measure
  • Monitor for repository clone failures or checkout errors in Nautobot job logs that may indicate prior exploitation attempts

Evidence notes

CVE published 2026-05-28T18:16:34.007Z; modified 2026-05-28T19:30:57.857Z. Vendor advisory and patches released via GitHub Security Advisories. Affects Nautobot versions prior to 2.4.33 and 3.0.0 through 3.1.1.

Official resources

2026-05-28