Exposure of Private Information ('Privacy Violation') in Nautobot - CVE-2023-46128

 

Exposure of Private Information ('Privacy Violation') in Nautobot - CVE-2023-46128

Published: October 24, 2023 / Updated: May 11, 2026


Vulnerability identifier: #VU130965
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-46128
CWE-ID: CWE-359
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Nautobot
Affected software:
Nautobot

Detailed vulnerability description

The vulnerability allows a remote user to disclose hashed user passwords.

The vulnerability exists due to exposure of private personal information in REST API endpoints with nested User object references when processing requests with the ?depth= query parameter. A remote user can send a request to an affected endpoint with an appropriate ?depth= value to disclose hashed user passwords.

The passwords are exposed as stored in the database and are not disclosed in plaintext. Direct access to the /api/users/users/ endpoint does not expose this field, but nested user data in affected core or plugin REST API endpoints may do so.


How to mitigate CVE-2023-46128

Install security update from vendor's website.

Sources