top of page
perceptive_background_267k.jpg

NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authent…

Published:

3 May 2026 at 22:00:00

Alert date:

4 May 2026 at 18:09:25

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method. Authenticated users with exporttemplate or configtemplate permissions can execute arbitrary code by specifying malicious Python callables in the environment_params field. The vulnerability allows attackers to bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to importable Python callables like subprocess.getoutput. This bypass occurs outside the sandbox's call interception mechanism, enabling remote code execution as the NetBox service user.

Technical details

Mitigation steps:

Affected products:

NetBox

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-29514
https://chocapikk.com/posts/2026/netbox-export-template-rce/
https://github.com/netbox-community/netbox/issues/22079
https://github.com/netbox-community/netbox/pull/22078
https://www.vulncheck.com/advisories/netbox-rce-via-rendertemplatemixin

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page