Nautobot: Webhook definitions could be used for server-side request forgery...

8.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Description

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF). This vulnerability is fixed in 2.4.33 and 3.1.2.

AI Analysis

Server-side request forgery (SSRF) vulnerability in Nautobot's Webhook data model

Basic Information

ID CVE-2026-44797

Source GitHub_M

Published May 28, 2026 at 16:59

Affected Product

Vendor nautobot

Product nautobot

Version >= 3.0.0a2, < 3.1.2

Affected Versions nautobot nautobot >= 3.0.0a2, < 3.1.2
nautobot nautobot < 2.4.33

CWE Classification

CWE-918

AI Assessment

AI Score 8.5 / 10

AI Severity High

Vendor Nautobot

Product Nautobot

Version < 2.4.33, >= 3.0.0a2, < 3.1.2

References

{
    "lastseen": "",
    "description": "Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF). This vulnerability is fixed in 2.4.33 and 3.1.2.",
    "published": "2026-05-28T16:59:06.143Z",
    "modified": "2026-05-28T16:59:06.143Z",
    "type": "cve",
    "title": "Nautobot: Webhook definitions could be used for server-side request forgery (SSRF)",
    "source": "GitHub_M",
    "references": "https://github.com/nautobot/nautobot/security/advisories/GHSA-c35q-vxrp-ph26\nhttps://github.com/nautobot/nautobot/commit/16aa4aa9796ab7a31c4d615ec945e1f16d8c77c4\nhttps://github.com/nautobot/nautobot/commit/7324c8f0d8c7245fbc691e15d729adc2d2707d08\nhttps://github.com/nautobot/nautobot/releases/tag/v2.4.33\nhttps://github.com/nautobot/nautobot/releases/tag/v3.1.2",
    "id": "CVE-2026-44797",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "nautobot nautobot >= 3.0.0a2, < 3.1.2\nnautobot nautobot < 2.4.33",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nautobot",
    "version": ">= 3.0.0a2, < 3.1.2",
    "vendor": "nautobot",
    "ai_description": "Server-side request forgery (SSRF) vulnerability in Nautobot's Webhook data model",
    "ai_severity": "High",
    "ai_vendor": "Nautobot",
    "ai_product": "Nautobot",
    "ai_version": "< 2.4.33, >= 3.0.0a2, < 3.1.2",
    "ai_score": 8.5
}

Nautobot: Webhook definitions could be used for server-side request forgery (SSRF)_CVE-2026-44797