NetBox 4.3.5 - 4.5.4 RCE via RenderTemplateMixin | Advisories

Advisories

NetBox 4.3.5 - 4.5.4 RCE via RenderTemplateMixin

severity: high
date: 5/4/2026
Affecting: NetBox Community 4.3.5 - 4.5.4
CVE: CVE-2026-29514
CWE: CWE-183 Permissive List of Allowed Inputs
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Chocapikk Disclosure & PoC
GitHub Issue
Closed Pull Request
Credit: Valentin Lobstein (Chocapikk)
Description: NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo