Description
netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all users changed the password but only about 90% changed the token. Having a default token value was intentional and was valuable for the main intended use case of the netbox-docker product (isolated development networks). Some users engaged in an effort to repurpose netbox-docker for production. The documentation for this effort stated that the defaults must not be used. However, installation did not ensure non-default values. The Supplier was aware of the CVE ID assignment and did not object to the assignment.
Published: 2026-03-11
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Administrative Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in the netbox-docker container image before version 2.5.0, where a superuser account is created with a default administrator password and a documented default API token (0123456789abcdef0123456789abcdef01234567). Key detail from vendor description: "netbox-docker before 2.5.0 has a superuser account with default credentials." An attacker who can reach the exposed NetBox instance can log in using these credentials and gain full administrative control, allowing manipulation of network data and configuration. The weakness is a credential disclosure (CWE‑1392).

Affected Systems

All releases of netbox-community:netbox-docker prior to version 2.5.0 are affected. The product documentation states defaults must not be used, but their enforcement is missing.

Risk and Exploitability

The vulnerability has a CVSS score of 9 (critical) and an EPSS less than 1 %. It is not listed in the CISA KEV catalog. The attack vector is remote over the network where the container is reachable, requiring only the default credentials. Typical installations with default values pose a high impact risk. While exploitation likelihood in the wild appears low, the potential for full administrative takeover makes prompt remediation essential.

Generated by OpenCVE AI on March 17, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade netbox‑docker to version 2.5.0 or newer to enforce credential changes.
  • After upgrading, set a unique SUPERUSER_API_TOKEN and change the admin password in the Docker environment configuration.
  • If upgrade is not immediately possible, manually edit the environment variables or configuration files to replace the default token and password before restarting the container.
  • Verify that the service no longer accepts the default credentials by attempting login with the old values and confirming failure.
  • Monitor NetBox logs and network traffic for any unauthorized access attempts.

Generated by OpenCVE AI on March 17, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Title netbox‑docker Default Superuser Credentials Exposed

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Netbox
Netbox netbox-docker
Vendors & Products Netbox
Netbox netbox-docker

Wed, 11 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all users changed the password but only about 90% changed the token. Having a default token value was intentional and was valuable for the main intended use case of the netbox-docker product (isolated development networks). Some users engaged in an effort to repurpose netbox-docker for production. The documentation for this effort stated that the defaults must not be used. However, installation did not ensure non-default values. The Supplier was aware of the CVE ID assignment and did not object to the assignment.
Weaknesses CWE-1392
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Netbox Netbox-docker
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-11T14:23:00.621Z

Reserved: 2023-03-03T00:00:00.000Z

Link: CVE-2023-27573

cve-icon Vulnrichment

Updated: 2026-03-11T14:22:30.552Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T06:17:11.933

Modified: 2026-03-11T13:52:47.683

Link: CVE-2023-27573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:55Z

Weaknesses