CVE-2026-44798: Nautobot: GitRepository.current_head field should not be writable through REST API
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value. This vulnerability is fixed in 2.4.33 and 3.1.2.
HarborGuard Analysis
HarborGuard analysisSynopsis
An improper access-control bug in Nautobot allows an authenticated user to write directly to the GitRepository.current_head field through the REST API, a field that should be read-only. The vulnerability is reachable over the network by any user with add or change permissions on GitRepository objects, with no elevated privileges required beyond that low-privilege account. Successful exploitation causes Nautobot to check out an unintended commit or renders the repository unusable until an administrator manually corrects the state. Fix versions 2.4.33 and 3.1.2 have been published upstream; HarborGuard tracks patched-image rebuild availability for affected environments once a fixed base image incorporating those versions is available.
HarborGuard Coverage
Detection of CVE-2026-44798 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including internally built images that bundle Nautobot. Scans run continuously against images in connected registries and CI/CD pipelines, so newly pushed images containing an affected Nautobot version are flagged automatically.
AvailableHarborGuard scores this CVE at 7.1 HIGH using the published CVSS v3.1 vector and weights that score against each environment's compliance policy to determine urgency and routing. Findings are directed to the team or inbox configured inside each customer organization for network-automation or platform-layer issues.
AvailableBecause no fixed upstream package or container image has been published at this time, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a fixed release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once a fix version becomes resolvable.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The Nautobot REST API is exposed over the network, so an attacker must be able to reach the service remotely to send the malicious PATCH or PUT request.
- AuthenticationRequired
Any low-privilege account that holds add or change permissions on GitRepository objects is sufficient; no administrative account is needed.
- Victim interactionNot required
The attacker sends the API request directly; no action from another user or administrator is required to trigger the vulnerability.
- Attack complexityDetail
Exploitation is straightforward and condition-free: the attacker simply includes the current_head field in a standard API request with an arbitrary value, requiring no race condition or special environmental setup.
Blast Radius
- An attacker can force Nautobot's local repository clone to check out an arbitrary or historical commit, causing automation jobs and source-of-truth queries to operate on stale or incorrect configuration data.
- An attacker can supply a nonexistent or malformed commit hash, rendering the affected Git repository entirely unusable within Nautobot until an administrator manually corrects the record.
- Integrity of the network source-of-truth is undermined: device configurations, compliance checks, and automation playbooks derived from the corrupted repository reflect data the operator did not intend to deploy.
- Availability of any Nautobot workflow that depends on the affected GitRepository is disrupted for the duration of the misconfiguration.
How HarborGuard Handles This
Available on HarborGuard: because no fixed upstream package has been published yet, the platform monitors the CVE advisory on every ingest cycle so that a patched-image rebuild becomes available the moment Nautobot releases a corrected version (2.4.33 or 3.1.2 or later). In the interim, customers can apply compensating controls through HarborGuard policy enforcement: network-policy isolation to restrict REST API access to trusted internal CIDR ranges, egress filtering on Nautobot pods to limit outbound repository access, and role-based-access-control reviews to identify accounts that currently hold GitRepository add or change permissions. For customers with auto-remediation enabled, once a fixed image is resolvable HarborGuard will trigger a rebuild, run the regression suite, and open a PR against affected workloads automatically. Given the HIGH severity rating, environments with auto-remediation enabled typically see a median time from fix availability to merged patch PR of around 90 minutes.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
- nautobot / nautobot>= 3.0.0a2, < 3.1.2 · < 2.4.33
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H- https://github.com/nautobot/nautobot/security/advisories/GHSA-p3hx-pwf3-j8wr
- https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609
- https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3
- https://github.com/nautobot/nautobot/releases/tag/v2.4.33
- https://github.com/nautobot/nautobot/releases/tag/v3.1.2