{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/netbox/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-29514"}],"_cs_exploited":false,"_cs_products":["NetBox (4.3.5 - 4.5.4)"],"_cs_severities":["critical"],"_cs_tags":["rce","template-injection","netbox","cve-2026-29514"],"_cs_type":"advisory","_cs_vendors":["NetBox"],"content_html":"\u003cp\u003eNetBox, a widely-used infrastructure resource modeling application, is vulnerable to remote code execution (RCE) in versions 4.3.5 through 4.5.4. This vulnerability, identified as CVE-2026-29514, resides in the \u003ccode\u003eRenderTemplateMixin.get_environment_params()\u003c/code\u003e method. An authenticated attacker with \u003ccode\u003eexporttemplate\u003c/code\u003e or \u003ccode\u003econfigtemplate\u003c/code\u003e permissions can exploit this flaw by injecting malicious Python callables into the \u003ccode\u003eenvironment_params\u003c/code\u003e field. Successful exploitation allows the attacker to bypass the Jinja2 SandboxedEnvironment, achieving arbitrary code execution as the NetBox service user. This RCE can lead to complete system compromise, data exfiltration, or denial of service. Defenders should prioritize patching and implement the detection measures outlined below.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the NetBox web application with \u003ccode\u003eexporttemplate\u003c/code\u003e or \u003ccode\u003econfigtemplate\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to modify or create an export/config template.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker injects a Python callable, such as \u003ccode\u003esubprocess.getoutput\u003c/code\u003e, into the \u003ccode\u003eenvironment_params\u003c/code\u003e field. The \u003ccode\u003efinalize\u003c/code\u003e parameter of the Jinja2 environment is set to this callable.\u003c/li\u003e\n\u003cli\u003eNetBox processes the request, and the Jinja2 environment is initialized with the attacker-controlled \u003ccode\u003efinalize\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eWhen the template is rendered, every expression outside the sandbox\u0026rsquo;s call interception mechanism is processed.\u003c/li\u003e\n\u003cli\u003eThe injected callable (\u003ccode\u003esubprocess.getoutput\u003c/code\u003e) is invoked on the rendered expression.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubprocess.getoutput\u003c/code\u003e callable executes arbitrary shell commands as the NetBox service user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution, potentially leading to full system compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-29514 allows an authenticated attacker to execute arbitrary code on the NetBox server. The impact includes potential full system compromise, data exfiltration, and denial of service. Given that NetBox is often used to manage critical infrastructure information, a successful attack could have significant consequences, potentially affecting numerous organizations that rely on accurate network data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NetBox to a patched version (4.5.5 or later) to remediate CVE-2026-29514.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect attempts to inject malicious callables into \u003ccode\u003eenvironment_params\u003c/code\u003e via webserver logs.\u003c/li\u003e\n\u003cli\u003eReview and restrict \u003ccode\u003eexporttemplate\u003c/code\u003e and \u003ccode\u003econfigtemplate\u003c/code\u003e permissions to only those users who require them.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:16:22Z","date_published":"2026-05-04T17:16:22Z","id":"/briefs/2026-05-netbox-rce/","summary":"NetBox versions 4.3.5 through 4.5.4 are vulnerable to remote code execution (RCE) via template injection, where authenticated users with specific permissions can inject malicious Python callables into template parameters, bypassing Jinja2 sandboxing to execute arbitrary code.","title":"NetBox RCE via Jinja2 Template Injection (CVE-2026-29514)","url":"https://feed.craftedsignal.io/briefs/2026-05-netbox-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Netbox","version":"https://jsonfeed.org/version/1.1"}