netbox-docker before 2.5.0 has a superuser account with...
Critical severity
Unreviewed
Published
Mar 11, 2026
to the GitHub Advisory Database
•
Updated May 7, 2026
Description
Published by the National Vulnerability Database
Mar 11, 2026
Published to the GitHub Advisory Database
Mar 11, 2026
Last updated
May 7, 2026
netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all users changed the password but only about 90% changed the token. Having a default token value was intentional and was valuable for the main intended use case of the netbox-docker product (isolated development networks). Some users engaged in an effort to repurpose netbox-docker for production. The documentation for this effort stated that the defaults must not be used. However, installation did not ensure non-default values. The Supplier was aware of the CVE ID assignment and did not object to the assignment.
References