CVE-2026-34203
Last modified
CVE-2026-34203 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). EPSS estimates a 0.24% chance of exploitation in the next 30 days.
Description
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Networktocode | Nautobot | < 2.4.30 |
| Networktocode | Nautobot | >= 3.0.0, < 3.0.10 |
References
- https://github.com/nautobot/nautobot/pull/8778Issue Tracking, Patch
- https://github.com/nautobot/nautobot/pull/8779Issue Tracking, Patch
- https://github.com/nautobot/nautobot/security/advisories/GHSA-xmpv-j7p2-j873Mitigation, Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-34203?
How severe is CVE-2026-34203?
How do I fix CVE-2026-34203?
Are you affected by CVE-2026-34203?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST