Weak password requirements in Nautobot - CVE-2026-34203
Published: May 11, 2026
Vulnerability identifier: #VU130969
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-34203
CWE-ID: CWE-521
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Nautobot
Nautobot
Software vendor:
Nautobot
Nautobot
Description
The vulnerability allows a remote user to create or modify user accounts with weak passwords.
The vulnerability exists due to weak password requirements in the REST API user management functionality when creating or editing users via the REST API. A remote privileged user can send crafted API requests to create or modify user accounts with weak passwords.
The issue affects environments where password validation rules are configured through Django's AUTH_PASSWORD_VALIDATORS setting; the admin UI correctly enforces those validators.
Remediation
Install security update from vendor's website.