CVE-2024-29199

CVE-2024-29199 is a low-severity security vulnerability in nautobot (pip), affecting versions < 1.6.16. It is fixed in 1.6.16, 2.1.9.

Summary

Workarounds

Partial workaround: If your configuration includes a non-default value for EXEMPT_VIEW_PERMISSIONS (the Nautobot default is an empty list), reverting it to default will prevent exposure of Nautobot information to unauthenticated users via the endpoints marked with (1) above.

References

Are there any links users can visit to find out more?

Impact

A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users, including the following:

  • /api/graphql/ (1)
  • /api/users/users/session/ (Nautobot 2.x only; the only information exposed to an anonymous user is which authentication backend classes are enabled on this Nautobot instance)
  • /dcim/racks/<uuid:pk>/dynamic-groups/ (1)
  • /dcim/devices/<uuid:pk>/dynamic-groups/ (1)
  • /extras/job-results/<uuid:pk>/log-table/
  • /extras/secrets/provider/<str:provider_slug>/form/ (the only information exposed to an anonymous user is the fact that a secrets provider with the given slug (e.g. environment-variable or text-file) is supported by this Nautobot instance)
  • /ipam/prefixes/<uuid:pk>/dynamic-groups/ (1)
  • /ipam/ip-addresses/<uuid:pk>/dynamic-groups/ (1)
  • /virtualization/clusters/<uuid:pk>/dynamic-groups/ (1)
  • /virtualization/virtual-machines/<uuid:pk>/dynamic-groups/ (1)

(1) These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users.

Of these endpoints, the only one that poses any significant risk of sensitive information disclosure under normal Nautobot operation with a default configuration is /extras/job-results/<uuid:pk>/log-table/. This endpoint returns an HTML table containing all of the logs associated with the specified JobResult; while these logs may contain sensitive information depending on the Jobs executed in Nautobot, this exposure is mitigated somewhat by the fact that any attacker would have to have prior knowledge of the existence of a JobResult with a particular UUID.

In the interest of full disclosure, the following additional endpoints were also accessible to anonymous users, but do not disclose any sensitive data when accessed (only a listing of other API endpoints).

  • /api/
  • /api/circuits/
  • /api/dcim/
  • /api/extras/
  • /api/ipam/
  • /api/plugins/
  • /api/tenancy/
  • /api/users/
  • /api/virtualization/

All of the above endpoints have been corrected to require user authentication, with the exception of /api/users/users/session/ which is unused at this time and therefore has been simply removed from Nautobot 2.1.9. Additionally, we have added test automation which enumerates available Nautobot URL endpoints and verifies that appropriate authentication requirements are in place; this test was instrumental in identifying the above comprehensive list.

CVE-2024-29199 has a CVSS score of 3.7 (Low). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.6.16, 2.1.9); upgrading removes the vulnerable code path.

Affected versions

nautobot (< 1.6.16) nautobot (>= 2.0.0, < 2.1.9)

Security releases

nautobot → 1.6.16 (pip) nautobot → 2.1.9 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Fixes will be included in Nautobot 1.6.16 and 2.1.9.

Frequently Asked Questions

  1. What is CVE-2024-29199? CVE-2024-29199 is a low-severity security vulnerability in nautobot (pip), affecting versions < 1.6.16. It is fixed in 1.6.16, 2.1.9.
  2. How severe is CVE-2024-29199? CVE-2024-29199 has a CVSS score of 3.7 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of nautobot are affected by CVE-2024-29199? nautobot (pip) versions < 1.6.16 is affected.
  4. Is there a fix for CVE-2024-29199? Yes. CVE-2024-29199 is fixed in 1.6.16, 2.1.9. Upgrade to this version or later.
  5. Is CVE-2024-29199 exploitable, and should I be worried? Whether CVE-2024-29199 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-29199 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-29199?
    • Upgrade nautobot to 1.6.16 or later
    • Upgrade nautobot to 2.1.9 or later

Other vulnerabilities in nautobot

CVE-2026-44798CVE-2026-44797CVE-2026-44796CVE-2026-44794CVE-2026-34203

Stop the waste.
Protect your environment with Kodem.