CVE Catalog

CVE-2026-44798

High
Published: Translated: NVD NIST

Summary

In Nautobot prior to versions 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field, which was not intended to be user-editable. This could lead to outdated states of local clones of the repositories or prevent the use of the repository altogether.

Risk Assessment

The organization may face issues with repository synchronization, leading to incorrect states and potential downtime in code handling. This could also affect trust in the data within the system.

Recommendation

It is recommended to upgrade Nautobot to versions 2.4.33 or 3.1.2 to mitigate this vulnerability. Additionally, an audit of existing GitRepository records should be conducted to verify their correctness.

Original NVD description (English source)

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value. This vulnerability is fixed in 2.4.33 and 3.1.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS