CVE-2026-34203
Password Validation Bypass in Nautobot REST API Allows Weak Passwords
Publication date: 2026-03-31
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| networktocode | nautobot | to 2.4.30 (exc) |
| networktocode | nautobot | From 3.0.0 (inc) to 3.0.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-521 | The product does not require that users should have strong passwords. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing the creation or modification of user accounts with weak or non-compliant passwords through Nautobot's REST API. Weak passwords increase the risk of unauthorized access or account compromise, as they are easier to guess or crack.
Since the REST API did not enforce password validation rules, attackers or unauthorized users with sufficient privileges could set weak passwords, undermining the security posture of the system. Although the vulnerability has a low CVSS score (2.7), it still poses an integrity risk by potentially allowing weak password usage.
- Potential for weak password acceptance via REST API user management
- Increased risk of account compromise due to weak passwords
- Bypassing configured password complexity policies
- The admin UI correctly enforces password validation, so the risk is limited to REST API usage
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively affect compliance with common security standards and regulations such as GDPR and HIPAA, which require organizations to implement strong access controls and protect user credentials.
By allowing weak or non-compliant passwords to be set via the REST API, the system may fail to meet password complexity and security requirements mandated by these regulations. This increases the risk of unauthorized access and potential data breaches, which could lead to non-compliance penalties.
Mitigating this vulnerability by applying the patch and enforcing password validation rules helps ensure that password policies are consistently enforced, supporting compliance with regulatory requirements for strong authentication controls.
Can you explain this vulnerability to me?
CVE-2026-34203 is a security vulnerability in Nautobot's REST API user management functionality. Prior to versions 2.4.30 and 3.0.10, when creating or editing users via the REST API, the system did not enforce password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting. This means that passwords set or changed through the API could bypass configured password complexity and strength requirements, potentially allowing weak or non-compliant passwords to be used.
The issue was caused by the absence of a call to Django's validate_password() function during user creation or modification via the REST API. The fix involved adding this call within the UserSerializer.validate() method, ensuring that any configured password validators are properly applied when passwords are set or changed through the API.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the lack of enforcement of password validation rules when creating or modifying users via Nautobot's REST API. Detection involves verifying whether user accounts have weak or non-compliant passwords that bypass configured password policies.
Since the issue is specific to the REST API user management, you can detect it by auditing user accounts created or modified through the API for weak passwords or by checking API logs for user creation or modification events.
There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Nautobot to version 2.4.30 or 3.0.10 or later, where the issue has been fixed by enforcing password validation rules during user creation and modification via the REST API.
Additionally, configure Django's AUTH_PASSWORD_VALIDATORS setting in Nautobot's nautobot_config.py to enforce strong password policies according to your security requirements.
As a workaround until the upgrade is applied, review and restrict permissions to limit which users can create or modify user accounts via the REST API.
Also, consider rotating passwords for accounts that may have been created or modified with weak passwords through the REST API.