{"id":"CVE-2026-44796","summary":"Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS)","details":"Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag. This vulnerability is fixed in 2.4.33 and 3.1.2.","aliases":["GHSA-qrpw-gjvh-x5gm","PYSEC-2026-2226"],"modified":"2026-07-15T01:49:00.882703451Z","published":"2026-05-28T17:00:06.533Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-1333","CWE-400"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44796.json"},"references":[{"type":"WEB","url":"https://github.com/nautobot/nautobot/releases/tag/v2.4.33"},{"type":"WEB","url":"https://github.com/nautobot/nautobot/releases/tag/v3.1.2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44796.json"},{"type":"ADVISORY","url":"https://github.com/nautobot/nautobot/security/advisories/GHSA-qrpw-gjvh-x5gm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44796"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nautobot/nautobot","events":[{"introduced":"0"},{"fixed":"97f53aa551f655623df7e39e7afd2231c49602f2"},{"introduced":"b9e675881bc7cc1ce7896637828972e691860c91"},{"fixed":"2354943ce235f4d610be5e8d2b72928961a9ec8f"},{"fixed":"5a30d0916953afbeedd24a784709e762cc3879cd"},{"fixed":"c2b766966d814a7141f62c7bc90c85fefb7892ee"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.4.33"},{"introduced":"3.0.0"},{"fixed":"3.1.2"}],"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*"}}],"versions":["v3.1.1","v2.4.32","v3.1.0","v3.0.11","v2.4.31","v3.0.10","v2.4.30","v3.0.9","v2.4.29","v3.0.8","v2.4.28","v3.0.7","v2.4.27","v3.0.6","v2.4.26","v3.0.5","v2.4.25","v3.0.4","v3.0.3","v2.4.24","v3.0.2","v3.0.1","v2.4.23","v3.0.0","v2.4.22","v2.4.21","v2.4.20","v2.4.19","v2.4.18","v2.4.17","v2.4.16","v2.4.15","v2.4.14","v2.4.13","v2.4.12","v2.4.11","v2.4.10","v2.4.9","v2.4.8","v2.4.7","v2.4.6","v2.4.5","v2.4.4","v2.4.3","v2.4.2","v2.4.1","v2.4.0","v2.3.16","v2.3.15","v2.3.14","v2.3.15-beta.1","v2.3.13","v2.3.12","v2.3.11","v2.3.10","v2.3.9","v2.3.8","v2.3.6","v2.3.5","v2.3.4","v2.3.3","v2.3.2","v2.3.1","v2.3.0","v2.2.9","v2.2.8","v2.2.7","v2.2.6","v2.2.5","v2.2.4","v2.2.3","v2.2.2","v2.2.1","v2.2.0","v2.1.9","v2.1.8","v2.1.7","v2.1.6","v2.1.5","v2.1.4","v2.1.3","v2.1.2","v2.1.1","v2.1.0","v2.0.6","v2.0.5","v2.0.4","v2.0.3","v2.0.2","v2.0.1","v2.0.0","v1.6.2","v2.0.0-rc.4","v2.0.0-rc.3","v1.6.1","v1.6.0","v1.5.24","v1.6.0-rc.1","v1.5.23","v1.5.22","v1.5.21","v1.5.20","v1.5.19","v1.5.18","v1.5.17","v1.5.16","v1.5.15","v1.5.14","v1.5.13","v1.5.12","v1.5.11","v1.5.10","v1.5.9","v1.5.8","v1.5.7","v1.5.6","v1.5.5","v1.5.4","v1.5.3","v1.5.2","v1.5.1","v1.5.0","v1.4.10","v1.4.9","v1.4.8","v1.4.7","v1.4.6","v1.4.5","v1.4.4","v1.4.3","v1.4.2","v1.4.1","v1.4.0","v1.3.10","v1.3","v1.3.9","v1.3.8","v1.3.7","v1.3.6","v1.3.5","v1.3.4","v1.3.3","v1.3.2","v1.3.1","v1.3.0","v1.2.11","v1.2","v1.2.10","v1.2.9","v1.2.8","v1.2.7","v1.2.6","v1.2.5","v1.2.4","v1.2.3","v1.2.2","v1.2.1","v1.2.0","v1.2.0b1","v1.1.4","v1.1.3","v1.1.2","v1.1.1","v1.1.0","v1.1.0b2","v1.1.0b1","v1.0.3","v1.0.2","v1.0.1","v1.0.0","v1.0.0b4","v1.0.0b3","v1.0.0b2","v1.0.0b1","v1.0.0a2","v1.0.0a1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44796.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}