Description
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10.
Published: 2026-03-31
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Weak passwords set through the REST API
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker who can access the Nautobot REST API to create or edit users with passwords that bypass Django’s configured validation rules. This means users can be assigned passwords that are weak or do not meet the organization’s security policies, reducing overall credential strength.

Affected Systems

All Nautobot installations running versions prior to 2.4.30 or 3.0.10 are affected. The issue appears in the default Network Source of Truth and Automation Platform provided by Nautobot and any deployments that rely on the REST API for user management.

Risk and Exploitability

The flaw carries a CVSS score of 2.7, categorizing it as low severity. An attacker needs authenticated access to the API to create or modify users, after which weak passwords can be enforced. No public exploits have been disclosed and the vulnerability is not listed in the known exploited vulnerabilities catalog. With the EPSS score unavailable, the likelihood of exploitation remains unclear, but the attack vector is straightforward within the API layer.

Generated by OpenCVE AI on April 1, 2026 at 06:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nautobot to version 2.4.30 or later (or 3.0.10 or later)
  • Configure AUTH_PASSWORD_VALIDATORS in nautobot_config.py to enforce desired password policies
  • After upgrading, audit existing user passwords and reset those that do not comply with the policy

Generated by OpenCVE AI on April 1, 2026 at 06:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xmpv-j7p2-j873 Nautobot: Management of users via REST API does not apply configured password validators
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nautobot
Nautobot nautobot
Vendors & Products Nautobot
Nautobot nautobot

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10.
Title Nautobot: Management of users via REST API does not apply configured password validators
Weaknesses CWE-521
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Nautobot Nautobot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T20:30:00.988Z

Reserved: 2026-03-26T15:57:52.323Z

Link: CVE-2026-34203

cve-icon Vulnrichment

Updated: 2026-03-31T20:29:57.605Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-03-31T20:16:28.360

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-34203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:11:05Z

Weaknesses