CVE-2026-34203

Name of the Vulnerable Software and Affected Versions Nautobot versions prior to 2.4.30 Nautobot versions prior to 3.0.10

Description The application fails to enforce password validation rules defined by Django's AUTH PASSWORD VALIDATORS setting when creating or editing users via the REST API. This setting, configurable in nautobot config.py, can be used to apply various password complexity rules. The issue allows for the creation or modification of user accounts with weak or non-compliant passwords. User management through the admin UI correctly enforces password validation. The vulnerable component is the REST API used for user creation and editing. The affected API endpoints are those used for user creation and modification. The AUTH PASSWORD VALIDATORS variable is central to the issue.

Recommendations Versions prior to 2.4.30 should be updated to version 2.4.30 or later. Versions prior to 3.0.10 should be updated to version 3.0.10 or later. Review user permissions for accounts with access to create and modify user accounts via the REST API and restrict access as appropriate. Consider rotating passwords for user accounts suspected of having weak passwords.