CVE-2026-44794

Name of the Vulnerable Software and Affected Versions Nautobot versions prior to 2.4.33 Nautobot versions prior to 3.1.2

Description Nautobot is a Network Source of Truth and Network Automation Platform. The REST API fails to enforce user view permissions when creating or updating objects that use inter-object references via GenericForeignKey. This pattern allows an object to reference another object that may belong to one of several different content types or database tables. Consequently, a user with permissions to create or update specific records, such as ImageAttachment, but without permissions to view certain Device records, could link an attachment to a device if they possess the device's UUID. Other affected models include ApprovalWorkflow, Cable, ConfigContext, ContactAssociation, DataCompliance, Device, ExportTemplate, GraphQLQuery, Note, ObjectMetadata, RelationshipAssociation, StaticGroupAssociation, and VirtualMachine. Additionally, Nautobot Apps providing models with a REST API using GenericForeignKey may be affected.

Recommendations Update to version 2.4.33. Update to version 3.1.2.