CVE-2026-34203
CVE-2026-34203 is a low-severity vulnerability in Networktocode Nautobot with a CVSS 3.x base score of 2.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-521.
Key facts
- Severity: Low (CVSS 3.x base score 2.7)
- EPSS exploit prediction: 0% (16th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-17598
- Weakness: CWE-521
- Affected product: Networktocode Nautobot
- Published:
- Last modified:
Description
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10.
Frequently asked questions
- What is CVE-2026-34203?
- Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10.
- How severe is CVE-2026-34203?
- CVE-2026-34203 has a CVSS 3.x base score of 2.7, rated low severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2026-34203 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (16th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-34203?
- CVE-2026-34203 affects Networktocode Nautobot. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-34203?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-34203 have an EU (EUVD) identifier?
- Yes. CVE-2026-34203 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-17598.
- When was CVE-2026-34203 published?
- CVE-2026-34203 was published on 2026-03-31 and last updated on 2026-06-17.
References
- https://github.com/nautobot/nautobot/commit/589f7caf54124ad76bc9fcbb7bdcaa25627cd598
- https://github.com/nautobot/nautobot/commit/d1ef3135aa02fa07de061e8c085f8cce425fe8c9
- https://github.com/nautobot/nautobot/pull/8778
- https://github.com/nautobot/nautobot/pull/8779
- https://github.com/nautobot/nautobot/security/advisories/GHSA-xmpv-j7p2-j873
Affected products (1)
- cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*
More vulnerabilities in Networktocode Nautobot
- CVE-2026-44797 — High (CVSS 8.5): Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook…
- CVE-2024-34707 — High (CVSS 7.5): Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify…
- CVE-2024-32979 — High (CVSS 7.5): Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python…
- CVE-2023-25657 — High (CVSS 7.5): Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions earlier than…
- CVE-2026-44798 — High (CVSS 7.1): Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to…
- CVE-2025-49142 — High (CVSS 7.1): Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10…
All CVEs affecting Networktocode Nautobot →
Other CWE-521 (Weak Password Requirements) vulnerabilities
- CVE-2026-25715 — Critical (CVSS 9.8): The web management interface of the device allows the administrator username and password to be set to blank values.…
- CVE-2025-53963 — Critical (CVSS 9.8): An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. They run an SSH server accessible…
- CVE-2025-63747 — Critical (CVSS 9.8): QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit…
- CVE-2025-12552 — Critical (CVSS 9.8): Insufficient Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
- CVE-2025-11200 — Critical (CVSS 9.8): MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to…
- CVE-2025-12364 — Critical (CVSS 9.8): Weak Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
Browse all CWE-521 (Weak Password Requirements) vulnerabilities →