cbcvebase.
CVE-2026-29514
published 2026-05-04

CVE-2026-29514: NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.78%
51.4th percentile
NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user.

Affected

1 ranges
VendorProductVersion rangeFixed in
netbox-communitynetbox4.3.5 – 4.5.4

Detection & IOCsextracted from sources · hover to see the quote

  • Look for HTTP requests to NetBox export/config template endpoints where the `environment_params` field contains a `finalize` key referencing an importable Python callable (e.g., `subprocess.getoutput`)
  • Monitor NetBox application logs for authenticated requests from users holding `exporttemplate` or `configtemplate` permissions that include `environment_params` in POST body payloads
  • Audit calls to `RenderTemplateMixin.get_environment_params()` in NetBox source/runtime for unexpected `finalize` values pointing to OS-level callables such as `subprocess.getoutput`, `os.system`, or `os.popen`
  • Alert on NetBox process spawning unexpected child processes (e.g., shell commands) as the NetBox service user, which would indicate successful exploitation via the finalize callable injection
  • ·Vulnerability affects only NetBox versions 4.3.5 through 4.5.4; instances outside this range are not affected
  • ·Exploitation requires authentication AND the attacker's account must hold `exporttemplate` or `configtemplate` permissions; unauthenticated or low-privilege users cannot trigger this vulnerability
  • ·The Jinja2 SandboxedEnvironment is bypassed specifically via the `finalize` parameter mechanism, meaning sandbox-based detections alone are insufficient to catch exploitation

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.