SB2026051167 - Weak password requirements in Nautobot
Published: May 11, 2026
Security Bulletin ID
SB2026051167
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Weak password requirements (CVE-ID: CVE-2026-34203)
The vulnerability allows a remote user to create or modify user accounts with weak passwords.
The vulnerability exists due to weak password requirements in the REST API user management functionality when creating or editing users via the REST API. A remote privileged user can send crafted API requests to create or modify user accounts with weak passwords.
The issue affects environments where password validation rules are configured through Django's AUTH_PASSWORD_VALIDATORS setting; the admin UI correctly enforces those validators.
Remediation
Install update from vendor's website.