CVE-2026-44798
Published: 28 May 2026
Summary
CVE-2026-44798 is a high-severity MAID (CWE-471) vulnerability in Networktocode Nautobot. Its CVSS base score is 7.1 (High).
Operationally, ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Vulnerability
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which…
more
was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value. This vulnerability is fixed in 2.4.33 and 3.1.2.
- CWE(s)
- OWASP Top 10 Web 2025
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-32973
Affected Products
Threat picture
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Defense & controls
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Explicitly prohibiting dangerous or unnecessary functions and services prevents exposure of methods that could be directly exploited.
Minimal functionality removes or avoids exposure of dangerous methods and functions.
Checksums and integrity protection during transformation/packing detect unauthorized modification of data assumed to be immutable before it is transmitted.