{"id":"PYSEC-2026-1690","summary":"Nautobot Single Source of Truth (SSoT) has an unauthenticated ServiceNow configuration URL","details":"The servicenow config URL is using a generic django View with no authentication.\n\nURL: `/plugins/ssot/servicenow/config/`\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\nAn Unauthenticated attacker could access this page to view the Service Now public instance name e.g. `companyname.service-now.com`. This is considered **low-value information**.  This does not expose the Secret, the Secret Name, or the Secret Value for the Username/Password for Service-Now.com. An unauthenticated member would not be able to change the instance name, nor set a Secret. There is not a way to gain access to other pages Nautobot through the unauthenticated Configuration page.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nWe highly recommend upgrading to SSoT v3.10.0 which includes this patch.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nDisable the servicenow SSoT integration","aliases":["CVE-2025-62607","GHSA-535g-62r7-cx6v"],"modified":"2026-07-07T17:47:06.474537140Z","published":"2026-07-07T16:03:07.908555Z","references":[{"type":"WEB","url":"https://github.com/nautobot/nautobot-app-ssot/security/advisories/GHSA-535g-62r7-cx6v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62607"},{"type":"WEB","url":"https://github.com/nautobot/nautobot-app-ssot/commit/1530d25cdeb929641ec47644f9a0a1d9d41e1cb8"},{"type":"PACKAGE","url":"https://github.com/nautobot/nautobot-app-ssot"},{"type":"WEB","url":"https://github.com/nautobot/nautobot-app-ssot/releases/tag/v3.10.0"},{"type":"PACKAGE","url":"https://pypi.org/project/nautobot-ssot"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-535g-62r7-cx6v"}],"affected":[{"package":{"name":"nautobot-ssot","ecosystem":"PyPI","purl":"pkg:pypi/nautobot-ssot"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.10.0"}]}],"versions":["1.0.0","1.0.1","1.1.0","1.1.1","1.1.2","1.2.0","1.3.0","1.3.1","1.3.2","1.4.0","1.5.0","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.6.5","2.0.0","2.0.0b1","2.0.0b2","2.0.0rc1","2.0.0rc2","2.0.1","2.0.2","2.1.0","2.2.0","2.3.0","2.4.0","2.5.0","2.6.0","2.6.1","2.7.0","2.8.0","2.8.1","3.0.0","3.0.1","3.1.0","3.2.0","3.3.0","3.4.0","3.5.0","3.6.0","3.7.0","3.8.0","3.8.1","3.9.0","3.9.1","3.9.2","3.9.3","3.9.4"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/nautobot-ssot/PYSEC-2026-1690.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}