Glennnmatthews

**Name of the Vulnerable Software and Affected Versions** Nautobot versions 2.0.0 through 2.0.2 **Description** The issue concerns the exposure of hashed user passwords in Nautobot's REST API endpoints when the `?depth=<N>` query parameter is used. This affects any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. Known impacted endpoints include `/api/dcim/rack-reservations/`, `/api/extras/job-results/`, `/api/extras/notes/`, `/api/extras/object-changes/`, `/api/extras/scheduled-jobs/`, and `/api/users/permissions/`, among others, when an appropriate `?depth=<N>` query parameter is specified. **Recommendations** To resolve the issue, upgrade to Nautobot version 2.0.3 or later. As a temporary workaround, consider restricting access to the impacted REST API endpoints, although this is not recommended as other endpoints may also expose this issue until patched.