netbox

v4.6.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 15d Configuration Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

cabling dcim django infrastructure-management ipam netbox

+5 more

network network-automation python sot sysadmin

Affected surfaces

rce_ssrf

Summary

AI summary

Broad release touches Bug Fixes, Enhancements, Performance Improvements, and Deprecations.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Fix security vulnerability allowing arbitrary code execution via ExportTemplate `environment_params` (CVE-2026-29514). Fix security vulnerability allowing arbitrary code execution via ExportTemplate `environment_params` (CVE-2026-29514). Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Security	Medium	Restrict export template queryset to authorized objects in REST API and list views. Restrict export template queryset to authorized objects in REST API and list views. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Feature
Feature	Medium	Correct errant and missing ARIA labels throughout the UI. Correct errant and missing ARIA labels throughout the UI. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Add changelog message support for bulk rename operations. Add changelog message support for bulk rename operations. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Display the names of installed devices when selecting a rack position. Display the names of installed devices when selecting a rack position. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Display geographic hierarchy for circuit terminations assigned to sites, locations, or regions. Display geographic hierarchy for circuit terminations assigned to sites, locations, or regions. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Allow IP ranges comprising a single IP address. Allow IP ranges comprising a single IP address. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Add filter support for notifications and subscriptions to GraphQL API. Add filter support for notifications and subscriptions to GraphQL API. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Introduce `HTTP_CLIENT_IP_HEADERS` configuration parameter to customize HTTP headers used to determine client IP address. Introduce `HTTP_CLIENT_IP_HEADERS` configuration parameter to customize HTTP headers used to determine client IP address. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Performance
Performance	Medium	Implement GraphQL query depth limiting via `GRAPHQL_MAX_QUERY_DEPTH`. Implement GraphQL query depth limiting via `GRAPHQL_MAX_QUERY_DEPTH`. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Performance	Medium	Add prefetch hints to various GraphQL type mixins to improve query efficiency. Add prefetch hints to various GraphQL type mixins to improve query efficiency. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Performance	Medium	Add GIN index on CablePath to optimize filtering of cable paths by node. Add GIN index on CablePath to optimize filtering of cable paths by node. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Performance	Medium	Avoid retracing cable paths during cable deletion. Avoid retracing cable paths during cable deletion. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Performance	Medium	Avoid renumbering MPTT trees when creating module bays. Avoid renumbering MPTT trees when creating module bays. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Deprecation	Medium	Deprecate support for v1 API tokens (to be removed in v5.0). Deprecate support for v1 API tokens (to be removed in v5.0). Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Deprecation	Medium	Deprecate support for PostgreSQL 14 (to be removed in v4.7). Deprecate support for PostgreSQL 14 (to be removed in v4.7). Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix
Bugfix	Medium	Fix striped table rows overriding conditional row color highlighting for virtual/LAG interfaces. Fix striped table rows overriding conditional row color highlighting for virtual/LAG interfaces. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fix API exceptions being silently consumed by middleware without reporting to Sentry. Fix API exceptions being silently consumed by middleware without reporting to Sentry. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	REST API should return plaintext for new v2 tokens upon creation. REST API should return plaintext for new v2 tokens upon creation. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fix spurious changelog entries for `interface_b` generated when saving an unchanged wireless link. Fix spurious changelog entries for `interface_b` generated when saving an unchanged wireless link. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Restore tenant and tenant group column options for circuits group table configuration. Restore tenant and tenant group column options for circuits group table configuration. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fix crash in system housekeeping job when no stable releases are available. Fix crash in system housekeeping job when no stable releases are available. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fix `TypeError` exception raised by table config validation when `ordering` attribute is null. Fix `TypeError` exception raised by table config validation when `ordering` attribute is null. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fix missing explicit `object_type` field annotation on TableConfigType GraphQL type. Fix missing explicit `object_type` field annotation on TableConfigType GraphQL type. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Add missing `user_id` FK filter on job filterset. Add missing `user_id` FK filter on job filterset. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Add missing `cable_id` FK filter on cable termination filterset. Add missing `cable_id` FK filter on cable termination filterset. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fix display of IP address detail view when multiple NAT assignments exist. Fix display of IP address detail view when multiple NAT assignments exist. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fix support for user changelog message when saving table configurations via the REST API. Fix support for user changelog message when saving table configurations via the REST API. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—

Full changelog

Enhancements

#16851 - Correct errant and missing ARIA labels throughout the UI
#20776 - Add changelog message support for bulk rename operations
#20808 - Display the names of installed devices when selecting a rack position
#21938 - Display geographic hierarchy for circuit terminations assigned to sites, locations, or regions
#21993 - Allow IP ranges comprising a single IP address
#22057 - Add filter support for notifications and subscriptions to GraphQL API
#22192 - Introduce HTTP_CLIENT_IP_HEADERS configuration parameter to customize HTTP headers used to determine client IP address

Performance Improvements

#22060 - Implement GraphQL query depth limiting (via GRAPHQL_MAX_QUERY_DEPTH) to guard against excessively complex queries
#22061 - Add prefetch hints to various GraphQL type mixins to improve query efficiency
#22102 - Add GIN index on CablePath to optimize filtering of cable paths by node
#22104 - Avoid retracing cable paths during cable deletion
#22146 - Avoid renumbering MPTT trees when creating module bays

Bug Fixes

#21934 - Fix striped table rows overriding conditional row color highlighting for virtual/LAG interfaces
#22055 - Fix API exceptions being silently consumed by middleware without reporting to Sentry
#22079 - Fix security vulnerability allowing arbitrary code execution via ExportTemplate environment_params (CVE-2026-29514)
#22081 - REST API should return plaintext for new v2 tokens upon creation
#22183 - Fix spurious changelog entries for interface_b generated when saving an unchanged wireless link
#22190 - Restore tenant and tenant group column options for circuits group table configuration
#22198 - Restrict export template queryset to authorized objects in REST API and list views
#22202 - Fix crash in system housekeeping job when no stable releases are available
#22206 - Fix TypeError exception raised by table config validation when ordering attribute is null
#22207 - Fix missing explicit object_type field annotation on TableConfigType GraphQL type
#22208 - Add missing user_id FK filter on job filterset
#22209 - Add missing cable_id FK filter on cable termination filterset
#22227 - Fix display of IP address detail view when multiple NAT assignments exist
#22236 - Fix support for user changelog message when saving table configurations via the REST API

Deprecations

#22128 - Deprecate support for v1 API tokens (to be removed in v5.0)
#22141 - Deprecate support for PostgreSQL 14 (to be removed in v4.7)

Security Fixes

CVE-2026-29514 — Fix arbitrary code execution via ExportTemplate `environment_params`

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track netbox

Get notified when new releases ship.

About netbox

The premier source of truth powering network automation. Open source under Apache 2. Try NetBox Cloud free: https://netboxlabs.com/products/free-netbox-cloud/