CVE-2026-44798

Name of the Vulnerable Software and Affected Versions Nautobot versions prior to 2.4.33 Nautobot versions prior to 3.1.2

Description A user with permissions to add or modify a GitRepository record can use the REST API to directly set the current head field, which is not intended to be user-editable. This action may cause local clones of the repository to check out a commit other than the latest one on the specified branch, leading to a misleading state. Additionally, it could render the repository unusable if current head is set to a malformed value or a nonexistent commit hash.

Recommendations Update to version 2.4.33. Update to version 3.1.2. Carefully review and restrict permissions granted to users for creating and modifying GitRepository records.