{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/nautobot/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nautobot (\u003c 2.4.33)","Nautobot (\u003e= 3.0.0a2, \u003c 3.1.2)"],"_cs_severities":["high"],"_cs_tags":["ssrf","nautobot","cve-2026-44797"],"_cs_type":"advisory","_cs_vendors":["Nautobot"],"content_html":"\u003cp\u003eNautobot\u0026rsquo;s \u003ccode\u003eWebhook\u003c/code\u003e data model is susceptible to server-side request forgery (SSRF) due to insufficient restrictions on webhook destinations. This vulnerability allows users with the ability to create or modify \u003ccode\u003eWebhook\u003c/code\u003e records to potentially initiate requests to internal or otherwise restricted hosts and IP addresses. This can lead to information disclosure, internal network scanning, or exploitation of other internal services. The vulnerability affects Nautobot versions prior to 2.4.33 and versions between 3.0.0a2 and 3.1.2. Patches were released on May 13, 2026, in Nautobot v2.4.33 and v3.1.2 to address this issue. New settings \u003ccode\u003eWEBHOOK_ALLOWED_SCHEMES\u003c/code\u003e, \u003ccode\u003eWEBHOOK_ADDITIONAL_BLOCKED_NETWORKS\u003c/code\u003e, and \u003ccode\u003eWEBHOOK_ALLOWED_HOSTS\u003c/code\u003e are introduced to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Nautobot account with permissions to manage Webhook objects (add or change).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new Webhook or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the Webhook to send requests to an internal or restricted IP address or hostname. This could be an internal service, a local network address, or a blocked external host.\u003c/li\u003e\n\u003cli\u003eA triggering event occurs within Nautobot that activates the Webhook (e.g., device creation, change of status).\u003c/li\u003e\n\u003cli\u003eNautobot\u0026rsquo;s Webhook functionality initiates an HTTP/HTTPS request to the attacker-specified destination.\u003c/li\u003e\n\u003cli\u003eThe target host receives the request originating from the Nautobot server.\u003c/li\u003e\n\u003cli\u003eThe attacker observes the response from the target host or uses the SSRF to interact with internal services.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SSRF to potentially gather sensitive information, bypass access controls, or exploit vulnerable internal services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability can lead to the exposure of internal network infrastructure, sensitive data residing on internal services, or the ability to pivot to other internal systems. The impact depends on the accessibility and vulnerabilities of the targeted internal services. Without proper restrictions, attackers could potentially compromise the entire Nautobot server and the network it resides on.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Nautobot version 2.4.33 or 3.1.2 or later to apply the patches for CVE-2026-44797.\u003c/li\u003e\n\u003cli\u003eReview user permissions and restrict \u003ccode\u003eadd\u003c/code\u003e and \u003ccode\u003echange\u003c/code\u003e permissions for the \u003ccode\u003eWebhook\u003c/code\u003e data model to only trusted administrators.\u003c/li\u003e\n\u003cli\u003eAudit existing \u003ccode\u003eWebhook\u003c/code\u003e records for suspicious or unauthorized destination URLs and IP addresses as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eConfigure the \u003ccode\u003eWEBHOOK_ALLOWED_SCHEMES\u003c/code\u003e setting to restrict Webhooks to only HTTP and HTTPS protocols.\u003c/li\u003e\n\u003cli\u003eUtilize the \u003ccode\u003eWEBHOOK_ADDITIONAL_BLOCKED_NETWORKS\u003c/code\u003e setting to block access to internal networks (e.g., RFC1918 addresses) or other prohibited IP ranges.\u003c/li\u003e\n\u003cli\u003eIf necessary, use the \u003ccode\u003eWEBHOOK_ALLOWED_HOSTS\u003c/code\u003e setting to explicitly allow access to specific hosts that are otherwise blocked by \u003ccode\u003eWEBHOOK_ADDITIONAL_BLOCKED_NETWORKS\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potentially malicious Webhook configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:32:20Z","date_published":"2026-05-13T15:32:20Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nautobot-ssrf/","summary":"Nautobot's Webhook feature is vulnerable to server-side request forgery (SSRF), allowing users with `add` or `change` permissions to make requests to unauthorized hosts, which is fixed in versions 2.4.33 and 3.1.2 by introducing settings to restrict webhook functionality.","title":"Nautobot Webhook SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-nautobot-ssrf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nautobot ( \u003c 2.4.33)","Nautobot (\u003e= 3.0.0a2, \u003c 3.1.2)"],"_cs_severities":["high"],"_cs_tags":["nautobot","gitrepository","rest-api","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Nautobot"],"content_html":"\u003cp\u003eA vulnerability exists in Nautobot versions prior to 2.4.33 and between 3.0.0a2 and 3.1.2 that allows users with the ability to add or change GitRepository records to manipulate the \u003ccode\u003ecurrent_head\u003c/code\u003e field through the REST API. This field, intended for internal use, dictates the commit hash that Nautobot\u0026rsquo;s local clone of the repository checks out. By directly modifying this field, an attacker can force the local repository to an arbitrary state, potentially checking out an older commit, a non-existent commit, or a malformed value. This can lead to incorrect or misleading infrastructure state within Nautobot and may require manual intervention to resolve. The vulnerability, identified as CVE-2026-44798, was addressed in Nautobot versions 2.4.33 and 3.1.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Nautobot REST API with credentials that have permissions to modify GitRepository records.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a GitRepository record they wish to manipulate.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a REST API PUT or PATCH request to the GitRepository endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a modified \u003ccode\u003ecurrent_head\u003c/code\u003e field containing a commit hash value. This value may be an older commit hash, a nonexistent commit hash, or a malformed string.\u003c/li\u003e\n\u003cli\u003eNautobot processes the API request and updates the \u003ccode\u003ecurrent_head\u003c/code\u003e field of the specified GitRepository record with the attacker-supplied value.\u003c/li\u003e\n\u003cli\u003eNautobot\u0026rsquo;s background processes attempt to synchronize the local Git repository clone with the updated \u003ccode\u003ecurrent_head\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDepending on the value of \u003ccode\u003ecurrent_head\u003c/code\u003e, the synchronization either checks out the specified commit, fails due to an invalid commit, or corrupts the local repository.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves the objective of desynchronizing Nautobot\u0026rsquo;s view of the repository state or rendering the repository unusable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44798 can cause Nautobot\u0026rsquo;s view of network infrastructure to become inconsistent with the actual state represented in the Git repository. This can lead to misconfiguration, failed automation tasks, and general operational disruption. In the worst-case scenario, manual intervention is required to correct the \u003ccode\u003ecurrent_head\u003c/code\u003e value and resynchronize the repository. The number of affected installations is unknown, but any Nautobot instance with users who can modify GitRepository objects is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Nautobot to version 2.4.33 or 3.1.2 to address CVE-2026-44798.\u003c/li\u003e\n\u003cli\u003eReview and restrict user permissions to create and modify GitRepository records, as suggested in the advisory workaround.\u003c/li\u003e\n\u003cli\u003eImplement the detection rule \u0026ldquo;Detect Direct Modification of Nautobot GitRepository current_head via API\u0026rdquo; to monitor for unauthorized changes to the \u003ccode\u003ecurrent_head\u003c/code\u003e field via the REST API.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for PATCH or PUT requests to the \u003ccode\u003e/api/extras/git-repositories/\u0026lt;id\u0026gt;/\u003c/code\u003e endpoint that contain the \u003ccode\u003ecurrent_head\u003c/code\u003e parameter, using a rule similar to \u0026ldquo;Detect API Requests to Modify Nautobot GitRepository current_head\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:31:55Z","date_published":"2026-05-13T15:31:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nautobot-gitrepository-writable/","summary":"A user with permissions to modify GitRepository records can manipulate the `current_head` field via the REST API in Nautobot, leading to repository state desynchronization or unavailability; this is remediated in versions 2.4.33 and 3.1.2.","title":"Nautobot GitRepository current_head Field Writable via REST API (CVE-2026-44798)","url":"https://feed.craftedsignal.io/briefs/2026-05-nautobot-gitrepository-writable/"}],"language":"en","title":"CraftedSignal Threat Feed — Nautobot","version":"https://jsonfeed.org/version/1.1"}