NetBox v3.1.2 Security Advisory: API Bypass/Validation Bypass and Dependency CVEs Fix

Vulnerability Overview In version 3.1.2, multiple security vulnerabilities were identified, primarily involving Webhook configuration, API access control, data validation, and dependency updates. Impact Scope Webhook Configuration: By default, newly created or updated Webhook records are restricted to HTTP or HTTPS protocols; other protocols are disabled. API Access Control: Certain API endpoints suffer from inadequate access controls, potentially leading to unauthorized access or data leakage. Data Validation: Some API endpoints lack sufficient data validation, which could allow malicious input or data corruption. Dependency Updates: Multiple dependencies contain known vulnerabilities, requiring timely updates to mitigate potential security risks. Remediation Plan 1. Webhook Configuration: - Added the configuration variable to restrict Webhook protocols to HTTP or HTTPS. - Added the configuration variable, allowing administrators to specify additional blocked networks. - Added the configuration variable, allowing administrators to specify additional blocked hosts. 2. API Access Control: - Fixed access control issues in and to prevent unauthorized users from executing bulk rename operations. - Fixed access control issues related to objects, ensuring that only authorized users can assign related objects. 3. Data Validation: - Added data validation in the method and the helper class methods to prevent malicious input. - Fixed validation issues for the and fields in the REST API. - Fixed validation issues for the field in the REST API. - Fixed validation issues for the field in the REST API. 4. Dependency Updates: - Updated to to mitigate CVE-2026-5766, CVE-2026-35192, and CVE-2026-6907. - Updated to to mitigate CVE-2026-44243, CVE-2026-44244, and GHSA-mv93-x799-qj2x. - Updated to to mitigate related vulnerabilities. - Added as a dependency. Other Fixes Fixed the "Assume Ownership" action button in the detail view to ensure only authorized users can perform this action. Fixed an issue where the flag was being dropped during modal dialog interactions, ensuring the page reloads after the close button (footer, header) or Escape key is pressed. Addressed N+1 query issues in the VRP detail view, optimizing performance for template fields (devices, virtual machines, virtual device contexts). Fixed sorting issues on the Job History main panel. Replaced operations in and with the generic . Added the option for invoking test tasks. Added the option for invoking tasks. Updated the development dependency to ^46.15.0. Updated the development dependency to ~0.9.37. Resolved a series of code issues reported by CodeQL. Relaxed the timeout requirements in to reduce false positives in CI. Contributors @Pkawa-ntc @glenmmatthews @joewesch @justinbrink @renovate Full Changelog v3.1.1 - v3.1.2 Assets 4 Assets Discussion 0 Comments --- This summarizes the security vulnerabilities found in version 3.1.2, including the vulnerability overview, impact scope, and remediation plans.

Goal Reached Thanks to every supporter — we hit 100%!

NetBox v3.1.2 Security Advisory: API Bypass/Validation Bypass and Dependency CVEs Fix

More from this source