Nautobot, Improper REST API Access Control, GHSA-p3hx-pwf3-j8wr (Medium)

Listen to this Post

The vulnerability arises because the `current_head` field of the `GitRepository` model is mutable via the REST API. In Nautobot versions before 2.4.33 and 3.1.2, this field is not properly protected against direct write operations. An authenticated user with permissions to add or modify a `GitRepository` record can send a crafted API request that sets the `current_head` to an arbitrary commit hash or a malformed value. Normally, this field is intended to be managed internally by Nautobot to track the latest commit of a given branch. However, the REST API endpoint does not enforce the necessary validation or read-only status. When a user changes the `current_head` to a non‑existent or invalid commit, Nautobot’s background job that clones or fetches the repository will attempt to check out that commit. This leads to two possible consequences: 1) the local copy of the repository ends up in an unexpected state (pointing to a commit that is not the latest on the branch), or 2) the repository becomes unusable because the specified commit does not exist. The issue is a combination of missing input validation and incorrect authorization logic in the REST API layer. The fix in v2.4.33 and 3.1.2 makes the `current_head` field read‑only for API write operations, ensuring that it can only be updated by internal processes. Administrators should also note that changing the `branch` or `remote_url` of a `GitRepository` can produce similar symptoms, so careful permission management is advised.

DailyCVE form (3 words max per line):

Platform: Nautobot
Version: <2.4.33/3.1.2
Vulnerability : REST API manipulation
Severity: Medium
date: 2026-05-08

Prediction: Already patched (2026-05-08)

What Undercode Say:

Check installed Nautobot version
nautobot-server --version
Query GitRepository objects via API (requires token)
curl -H "Authorization: Token $NAUTOBOT_TOKEN" \
https://nautobot.example.com/api/extras/git-repositories/
Attempt to modify current_head (vulnerable versions only)
curl -X PATCH -H "Authorization: Token $NAUTOBOT_TOKEN" \
-H "Content-Type: application/json" \
-d '{"current_head": "nonexistent-hash"}' \
https://nautobot.example.com/api/extras/git-repositories/<uuid>/
Verify that current_head is read-only in patched versions
curl -X PATCH -H "Authorization: Token $NAUTOBOT_TOKEN" \
-H "Content-Type: application/json" \
-d '{"current_head": "invalid"}' \
https://nautobot.example.com/api/extras/git-repositories/<uuid>/

Exploit:

To exploit this vulnerability, an attacker with permissions to add or change a `GitRepository` record sends a PATCH request to the REST API endpoint `/api/extras/git-repositories//` containing a malicious `current_head` value. For example, setting `”current_head”: “0000000000000000000000000000000000000000”` or a malformed string like "../../config". Nautobot then tries to check out that value, causing the local repository to become inconsistent or entirely unusable. The attack requires knowledge of a valid repository UUID and an authenticated API token with the necessary object permissions.

Protection from this CVE:

  • Upgrade Nautobot to v2.4.33 or v3.1.2 (or any later release).
  • If upgrade is not immediately possible, remove `add` and `change` permissions for `GitRepository` from all non‑essential users.
  • Regularly audit API logs for unexpected PATCH requests to `git-repositories` endpoints.
  • Apply the official patch commits:
  • 2.4.33 patch
  • 3.1.2 patch

Impact:

  • Misleading state: The local repository clone checks out a commit that is not the latest on the specified branch, breaking the assumption of up‑to‑date data.
  • Denial of service: If the `current_head` points to a nonexistent commit or a malformed value, Nautobot can no longer use the repository at all until manual remediation (e.g., deleting the local clone and re‑fetching).
  • No data loss or remote execution: The vulnerability does not allow arbitrary code execution or direct data theft, but it undermines the integrity of Git‑based automation and source‑of‑truth workflows.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top