{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34203", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.323Z", "datePublished": "2026-03-31T19:27:29.903Z", "dateUpdated": "2026-03-31T20:30:00.988Z"}, "containers": {"cna": {"title": "Nautobot: Management of users via REST API does not apply configured password validators", "problemTypes": [{"descriptions": [{"cweId": "CWE-521", "lang": "en", "description": "CWE-521: Weak Password Requirements", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-xmpv-j7p2-j873", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-xmpv-j7p2-j873"}, {"name": "https://github.com/nautobot/nautobot/pull/8778", "tags": ["x_refsource_MISC"], "url": "https://github.com/nautobot/nautobot/pull/8778"}, {"name": "https://github.com/nautobot/nautobot/pull/8779", "tags": ["x_refsource_MISC"], "url": "https://github.com/nautobot/nautobot/pull/8779"}, {"name": "https://github.com/nautobot/nautobot/commit/589f7caf54124ad76bc9fcbb7bdcaa25627cd598", "tags": ["x_refsource_MISC"], "url": "https://github.com/nautobot/nautobot/commit/589f7caf54124ad76bc9fcbb7bdcaa25627cd598"}, {"name": "https://github.com/nautobot/nautobot/commit/d1ef3135aa02fa07de061e8c085f8cce425fe8c9", "tags": ["x_refsource_MISC"], "url": "https://github.com/nautobot/nautobot/commit/d1ef3135aa02fa07de061e8c085f8cce425fe8c9"}], "affected": [{"vendor": "nautobot", "product": "nautobot", "versions": [{"version": "< 2.4.30", "status": "affected"}, {"version": ">= 3.0.0, < 3.0.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T19:27:29.903Z"}, "descriptions": [{"lang": "en", "value": "Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10."}], "source": {"advisory": "GHSA-xmpv-j7p2-j873", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T20:29:54.867462Z", "id": "CVE-2026-34203", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T20:30:00.988Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34203", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T20:29:54.867462Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T20:29:57.605Z"}}], "cna": {"title": "Nautobot: Management of users via REST API does not apply configured password validators", "source": {"advisory": "GHSA-xmpv-j7p2-j873", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nautobot", "product": "nautobot", "versions": [{"status": "affected", "version": "< 2.4.30"}, {"status": "affected", "version": ">= 3.0.0, < 3.0.10"}]}], "references": [{"url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-xmpv-j7p2-j873", "name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-xmpv-j7p2-j873", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nautobot/nautobot/pull/8778", "name": "https://github.com/nautobot/nautobot/pull/8778", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nautobot/nautobot/pull/8779", "name": "https://github.com/nautobot/nautobot/pull/8779", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nautobot/nautobot/commit/589f7caf54124ad76bc9fcbb7bdcaa25627cd598", "name": "https://github.com/nautobot/nautobot/commit/589f7caf54124ad76bc9fcbb7bdcaa25627cd598", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nautobot/nautobot/commit/d1ef3135aa02fa07de061e8c085f8cce425fe8c9", "name": "https://github.com/nautobot/nautobot/commit/d1ef3135aa02fa07de061e8c085f8cce425fe8c9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-521", "description": "CWE-521: Weak Password Requirements"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T19:27:29.903Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34203", "state": "PUBLISHED", "dateUpdated": "2026-03-31T20:30:00.988Z", "dateReserved": "2026-03-26T15:57:52.323Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T19:27:29.903Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*", "matchCriteriaId": "C701138B-987A-4CC7-A01A-A9319DA16A51", "versionEndExcluding": "2.4.30", "vulnerable": true}, {"criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3259E19-11F4-4DA7-8D25-919F7E9D0E90", "versionEndExcluding": "3.0.10", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10."}], "id": "CVE-2026-34203", "lastModified": "2026-04-07T16:10:20.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T20:16:28.360", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/commit/589f7caf54124ad76bc9fcbb7bdcaa25627cd598"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/commit/d1ef3135aa02fa07de061e8c085f8cce425fe8c9"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/nautobot/nautobot/pull/8778"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/nautobot/nautobot/pull/8779"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-xmpv-j7p2-j873"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.30)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.0.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "nautobot", "source": "cna", "vendor": "nautobot"}, "product": "nautobot", "vendor": "nautobot"}], "analysis": {"en": {"generated_at": "2026-04-07T23:09:51.519995+00:00", "value": {"mitigation_remediation": ["Upgrade Nautobot to version 2.4.30 or later for the 2.x line, or to version 3.0.10 or later for the 3.x line.", "Verify that the AUTH_PASSWORD_VALIDATORS setting in nautobot_config.py is properly configured to enforce desired password rules.", "Review existing REST API keys and restrict or revoke access for users who should not have user\u2011management privileges.", "Monitor for any newly created or edited user accounts with weak passwords and enforce policies manually if necessary."], "summary": {"action": "Apply Patch", "impact": "Weak Passwords"}, "threat_synthesis": {"affected_systems": "The affected product is Nautobot (Network Source of Truth and Network Automation Platform). All releases prior to 2.4.30 for the 2.x line and prior to 3.0.10 for the 3.x line are vulnerable. Systems running those versions and exposing the REST API for user management are at risk.", "description_and_impact": "Nautobot before versions 2.4.30 and 3.0.10 does not enforce the password validation rules defined in the AUTH_PASSWORD_VALIDATORS setting when creating or editing users through its REST API. This omission allows administrators or attackers to assign passwords that are weak or do not meet organizational standards, potentially exposing user accounts to brute\u2011force or credential\u2011stuffing attacks. The vulnerability is categorized as weakness in password policy enforcement (CWE\u2011521).", "risk_and_exploitability": "The CVSS score of 2.7 indicates a low severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. However, anyone with access to the Nautobot REST API can create or modify user accounts, bypassing the configured password policies. The vulnerability is not listed in CISA\u2019s KEV catalog, and no direct exploit is documented. Nonetheless, weak passwords could facilitate credential compromise for any user that logs in with the affected account."}}}}, "created": "2026-04-02T07:53:10.665394+00:00", "updated": "2026-04-08T20:00:12.048280+00:00", "vendors": ["nautobot", "nautobot$PRODUCT$nautobot"]}