CVE-2026-34203

LOW 2.7

Nautobot: Management of users via REST API does not apply configured password validators

CVSS Score

2.7

EPSS Score

0.0%

EPSS Percentile

0th

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10.

CWE	CWE-521
Vendor	nautobot
Product	nautobot
Published	Mar 31, 2026
Last Updated	Mar 31, 2026

Stay Ahead of the Next One

Get instant alerts for nautobot nautobot

Be the first to know when new low vulnerabilities affecting nautobot nautobot are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

nautobot / nautobot

< 2.4.30 >= 3.0.0, < 3.0.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nautobot/nautobot/security/advisories/GHSA-xmpv-j7p2-j873 github.com: https://github.com/nautobot/nautobot/pull/8778 github.com: https://github.com/nautobot/nautobot/pull/8779 github.com: https://github.com/nautobot/nautobot/commit/589f7caf54124ad76bc9fcbb7bdcaa25627cd598 github.com: https://github.com/nautobot/nautobot/commit/d1ef3135aa02fa07de061e8c085f8cce425fe8c9