Description
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10.
Published: 2026-03-31
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Weak Passwords
Action: Apply Patch
AI Analysis

Impact

Nautobot before versions 2.4.30 and 3.0.10 does not enforce the password validation rules defined in the AUTH_PASSWORD_VALIDATORS setting when creating or editing users through its REST API. This omission allows administrators or attackers to assign passwords that are weak or do not meet organizational standards, potentially exposing user accounts to brute‑force or credential‑stuffing attacks. The vulnerability is categorized as weakness in password policy enforcement (CWE‑521).

Affected Systems

The affected product is Nautobot (Network Source of Truth and Network Automation Platform). All releases prior to 2.4.30 for the 2.x line and prior to 3.0.10 for the 3.x line are vulnerable. Systems running those versions and exposing the REST API for user management are at risk.

Risk and Exploitability

The CVSS score of 2.7 indicates a low severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. However, anyone with access to the Nautobot REST API can create or modify user accounts, bypassing the configured password policies. The vulnerability is not listed in CISA’s KEV catalog, and no direct exploit is documented. Nonetheless, weak passwords could facilitate credential compromise for any user that logs in with the affected account.

Generated by OpenCVE AI on April 7, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nautobot to version 2.4.30 or later for the 2.x line, or to version 3.0.10 or later for the 3.x line.
  • Verify that the AUTH_PASSWORD_VALIDATORS setting in nautobot_config.py is properly configured to enforce desired password rules.
  • Review existing REST API keys and restrict or revoke access for users who should not have user‑management privileges.
  • Monitor for any newly created or edited user accounts with weak passwords and enforce policies manually if necessary.

Generated by OpenCVE AI on April 7, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xmpv-j7p2-j873 Nautobot: Management of users via REST API does not apply configured password validators
History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Networktocode
Networktocode nautobot
CPEs cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*
Vendors & Products Networktocode
Networktocode nautobot

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nautobot
Nautobot nautobot
Vendors & Products Nautobot
Nautobot nautobot

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10.
Title Nautobot: Management of users via REST API does not apply configured password validators
Weaknesses CWE-521
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Nautobot Nautobot
Networktocode Nautobot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T20:30:00.988Z

Reserved: 2026-03-26T15:57:52.323Z

Link: CVE-2026-34203

cve-icon Vulnrichment

Updated: 2026-03-31T20:29:57.605Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T20:16:28.360

Modified: 2026-04-07T16:10:20.773

Link: CVE-2026-34203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:12Z

Weaknesses