CVE-2026-44797: Nautobot: Webhook definitions could be used for server-side request forgery (SSRF)
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF). This vulnerability is fixed in 2.4.33 and 3.1.2.
HarborGuard Analysis
HarborGuard analysisSynopsis
This is a server-side request forgery (SSRF) vulnerability in Nautobot, a network automation and source-of-truth platform. An authenticated user with sufficient access to manage Webhook definitions can craft webhook configurations that cause the Nautobot server to send HTTP requests to arbitrary internal or restricted hosts, bypassing network controls the server would normally respect. Successful exploitation allows an attacker to read sensitive data from internal services and make limited modifications via outbound requests. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as fix versions 2.4.33 or 3.1.2 are published upstream.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Nautobot. Any image carrying an affected version of the nautobot package is flagged immediately in the registry scan and CI pipeline check.
AvailableHarborGuard scores this finding at CVSS 8.5 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. The finding is automatically assigned to the appropriate inbox within each customer organization based on ownership rules configured for that environment.
AvailableBecause no upstream fix versions have been published yet, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment versions 2.4.33 or 3.1.2 appear upstream. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Nautobot web interface over the network; the service must be exposed to the attacker's network segment.
- AuthenticationRequired
The attacker must hold a valid Nautobot account with sufficient privileges to create or modify Webhook definitions; any low-privilege account granted that permission is sufficient.
- Victim interactionNot required
No other user needs to take any action; the attacker configures the malicious webhook directly and triggers it without any victim involvement.
- Attack complexityDetail
Exploitation is straightforward and condition-free: once the attacker has the necessary account access, crafting a malicious webhook requires no race conditions or special environmental setup.
Blast Radius
- The Nautobot server sends HTTP requests to internal hosts or IP ranges that should be unreachable from the public network, exposing internal services to enumeration and data extraction.
- The attacker reads responses from internal HTTP endpoints, which may include stored credentials, API tokens, configuration data, or metadata service payloads (such as cloud instance metadata at 169.254.169.254).
- The CVSS Integrity score of Low reflects that outbound webhook requests may also trigger state changes on internal services that accept unauthenticated or lightly authenticated HTTP calls, allowing limited data modification.
- Network segmentation controls placed in front of internal services are bypassed because the requests originate from the trusted Nautobot server process itself.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively monitored across all customer environments scanning images that include Nautobot. Because no upstream fix has been published, the current capability is continuous advisory tracking on every ingest cycle. The moment versions 2.4.33 or 3.1.2 are released, a patched-image rebuild becomes available; for customers with auto-remediation enabled, this triggers a full rebuild, regression-test run, and a PR opened against affected workloads automatically. In the interim, compensating controls worth evaluating include egress network policy rules on Nautobot pods or containers to block requests to RFC-1918 address ranges and link-local addresses, strict review of which accounts hold webhook management permissions, and feature-flag or RBAC gating to restrict webhook creation to a minimal set of trusted users until the patch is applied.
Metrics
- CVSS v3.1
- 8.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
- nautobot / nautobot>= 3.0.0a2, < 3.1.2 · < 2.4.33
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N- https://github.com/nautobot/nautobot/security/advisories/GHSA-c35q-vxrp-ph26
- https://github.com/nautobot/nautobot/commit/16aa4aa9796ab7a31c4d615ec945e1f16d8c77c4
- https://github.com/nautobot/nautobot/commit/7324c8f0d8c7245fbc691e15d729adc2d2707d08
- https://github.com/nautobot/nautobot/releases/tag/v2.4.33
- https://github.com/nautobot/nautobot/releases/tag/v3.1.2