CVE-2026-44794

Name: CVE-2026-44794
Creator: NVD / NIST
Published: 2026-05-28T18:16:33.203+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.4/10EPSS 0.18%

Last modified Jun 17, 2026

CVE-2026-44794 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. EPSS estimates a 0.18% chance of exploitation in the next 30 days.

Description

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.

Metrics

CVSS 3.1

5.4/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS Probability

0.18%

7.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-862

Affected Software

Vendor	Product	Versions
Networktocode	Nautobot	< 2.4.33
Networktocode	Nautobot	>= 3.0.0, < 3.1.2

References

https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5bPatch
https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1Patch
https://github.com/nautobot/nautobot/releases/tag/v2.4.33Product, Release Notes
https://github.com/nautobot/nautobot/releases/tag/v3.1.2Product, Release Notes
https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6xPatch, Vendor Advisory

Timeline

Published: May 28, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-44794?

How severe is CVE-2026-44794?

CVE-2026-44794 has a CVSS score of 5.4/10 (MEDIUM severity). The EPSS model estimates a 0.18% probability of exploitation in the next 30 days.

How do I fix CVE-2026-44794?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-44794?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST