GHSA-c35q-vxrp-ph26

Source

https://github.com/advisories/GHSA-c35q-vxrp-ph26

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c35q-vxrp-ph26/GHSA-c35q-vxrp-ph26.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c35q-vxrp-ph26

Aliases

CVE-2026-44797

Published

2026-05-13T15:30:59Z

Modified

2026-05-13T15:48:36.435256Z

Severity

8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Nautobot: Webhook definitions could be used for server-side request forgery (SSRF)

Details

Impact

Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF).

Patches

Fixes are available in Nautobot v2.4.33 and v3.1.2.

In support of this fix, three new settings variables have been added to Nautobot:

WEBHOOK_ALLOWED_SCHEMES - By default new or updated Webhook records will be restricted to HTTP or HTTPS only, disallowing other schemes that may have been previously allowed. Administrators should audit existing Webhook records to identify any that are invalid, and either update/delete said records or customize WEBHOOK_ALLOWED_SCHEMES as appropriate.
WEBHOOK_ADDITIONAL_BLOCKED_NETWORKS - This can be used to specify additional IP networks that should be denied to Webhook sending, for example some deployments may wish to disallow RFC1918 addresses or even disallow all networks and carve out specific exemptions using the following setting.
WEBHOOK_ALLOWED_HOSTS - This can be used to provide an allow-list of specific hosts that would otherwise be blocked by any WEBHOOK_ADDITIONAL_BLOCKED_NETWORKS configuration.

Workarounds

Administrators should review which users have been granted add or change permissions for the Webhook data model, and should review currently defined Webhook records for safety and validity. Other than that, no specific workaround has been identified.

References

2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/16aa4aa9796ab7a31c4d615ec945e1f16d8c77c4">patch</a>)
3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/7324c8f0d8c7245fbc691e15d729adc2d2707d08">patch</a>)

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-13T15:30:59Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

PyPI / nautobot

Package

Name: nautobot; View open source insights on deps.dev
Purl: pkg:pypi/nautobot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0a2

Fixed

3.1.2

Affected versions

3.*

3.0.0a2

3.0.0a3

3.0.0rc1

3.0.0rc2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.1.0a1

3.1.0a2

3.1.0a3

3.1.0a4

3.1.0a5

3.1.0

3.1.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c35q-vxrp-ph26/GHSA-c35q-vxrp-ph26.json"

PyPI / nautobot

Package

Name: nautobot; View open source insights on deps.dev
Purl: pkg:pypi/nautobot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.33

Affected versions

1.*

1.0.0a1

1.0.0a2

1.0.0b1

1.0.0b2

1.0.0b3

1.0.0b4

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.7

1.4.8

1.4.9

1.4.10

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.5.11

1.5.12

1.5.13

1.5.14

1.5.15

1.5.16

1.5.17

1.5.18

1.5.19

1.5.20

1.5.21

1.5.22

1.5.23

1.5.24

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.6.16

1.6.17

1.6.18

1.6.19

1.6.20

1.6.21

1.6.22

1.6.23

1.6.24

1.6.25

1.6.26

1.6.27

1.6.28

1.6.29

1.6.30

1.6.31

1.6.32

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.1.0b1

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.2.0b1

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.3.0b1

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

2.3.11

2.3.12

2.3.13

2.3.14

2.3.15b1

2.3.15

2.3.16

2.4.0b1

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.4.11

2.4.12

2.4.13

2.4.14

2.4.15

2.4.16

2.4.17

2.4.18

2.4.19

2.4.20

2.4.21

2.4.22

2.4.23

2.4.24

2.4.25

2.4.26

2.4.27

2.4.28

2.4.29

2.4.30

2.4.31

2.4.32

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c35q-vxrp-ph26/GHSA-c35q-vxrp-ph26.json"