GHSA-WPXJ-44W3-2J6X

Vulnerability from github – Published: 2026-05-13 15:30 – Updated: 2026-06-09 02:01
VLAI
Summary
Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference
Details

Impact

In the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid.

As a concrete example, a user:

  • who has permission to create or update ImageAttachment records
  • but who lacks permission to view (some or all) Device records
  • but who knows (via some other mechanism) the UUID of a specific Device that they do not otherwise have access to

could create via the REST API an ImageAttachment linked to that specific Device.

Other models that use GenericForeignKey and may be writable via the REST API, and hence have a similar vulnerability to ImageAttachment, may include:

  • ApprovalWorkflow
  • Cable
  • ConfigContext
  • ContactAssociation
  • DataCompliance
  • Device
  • ExportTemplate
  • GraphQLQuery
  • Note
  • ObjectMetadata
  • RelationshipAssociation
  • StaticGroupAssociation
  • VirtualMachine

Additionally, any Nautobot Apps that provide models with a REST API and use GenericForeignKey may have a similar vulnerability for their models.

Patches

A general-purpose fix has been implemented in Nautobot 2.4.33 and 3.1.2, which ensures correct application of "view" permissions when creating or modifying object references via GenericForeignKey throughout the REST API. Individual models/views/serializers generally will not require any specific code changes to benefit from this fix.

Workarounds

No known workarounds at this time.

References

Severity
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0a2"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-13T15:30:46Z",
    "nvd_published_at": "2026-05-28T18:16:33Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIn the case of inter-object references via `GenericForeignKey` (a pattern allowing an object to reference another object that may belong to one of several different \"content types\" or database tables), when creating or updating an object containing a `GenericForeignKey`, Nautobot\u0027s REST API failed to enforce user \"view\" permissions when determining whether a given reference to another object would be valid. \n\nAs a concrete example, a user:\n\n- who has permission to create or update `ImageAttachment` records\n- but who lacks permission to view (some or all) `Device` records\n- _but who knows (via some other mechanism) the UUID of a specific `Device` that they do not otherwise have access to_\n\ncould create via the REST API an `ImageAttachment` linked to that specific `Device`.\n\nOther models that use `GenericForeignKey` and may be writable via the REST API, and hence have a similar vulnerability to `ImageAttachment`, may include:\n\n- `ApprovalWorkflow`\n- `Cable`\n- `ConfigContext`\n- `ContactAssociation`\n- `DataCompliance`\n- `Device`\n- `ExportTemplate`\n- `GraphQLQuery`\n- `Note`\n- `ObjectMetadata`\n- `RelationshipAssociation`\n- `StaticGroupAssociation`\n- `VirtualMachine`\n\nAdditionally, any Nautobot Apps that provide models with a REST API and use GenericForeignKey may have a similar vulnerability for their models.\n\n### Patches\n\nA general-purpose fix has been implemented in Nautobot 2.4.33 and 3.1.2, which ensures correct application of \"view\" permissions when creating or modifying object references via `GenericForeignKey` throughout the REST API. Individual models/views/serializers generally will not require any specific code changes to benefit from this fix.\n\n### Workarounds\n\nNo known workarounds at this time.\n\n### References\n\n- 2.4.33 (\u003ca href=\"https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1\"\u003epatch\u003c/a\u003e)\n- 3.1.2 (\u003ca href=\"https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b\"\u003epatch\u003c/a\u003e)",
  "id": "GHSA-wpxj-44w3-2j6x",
  "modified": "2026-06-09T02:01:03Z",
  "published": "2026-05-13T15:30:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44794"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nautobot/nautobot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.