Exposure of Private Information ('Privacy Violation') in Nautobot - CVE-2023-46128
Published: October 24, 2023 / Updated: May 11, 2026
Nautobot
Detailed vulnerability description
The vulnerability allows a remote user to disclose hashed user passwords.
The vulnerability exists due to exposure of private personal information in REST API endpoints with nested User object references when processing requests with the ?depth= query parameter. A remote user can send a request to an affected endpoint with an appropriate ?depth= value to disclose hashed user passwords.
The passwords are exposed as stored in the database and are not disclosed in plaintext. Direct access to the /api/users/users/ endpoint does not expose this field, but nested user data in affected core or plugin REST API endpoints may do so.