CVE-2023-27573

netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all users changed the password but only about 90% changed the token. Having a default token value was intentional and was valuable for the main intended use case of the netbox-docker product (isolated development networks). Some users engaged in an effort to repurpose netbox-docker for production. The documentation for this effort stated that the defaults must not be used. However, installation did not ensure non-default values. The Supplier was aware of the CVE ID assignment and did not object to the assignment.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/netbox-community/netbox-docker/issues/953	Exploit Issue Tracking
https://github.com/netbox-community/netbox-docker/pull/959	Issue Tracking Patch
https://github.com/netbox-community/netbox-docker/releases/tag/2.5.0	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:netboxlabs:netbox-docker:*:*:*:*:*:*:*:*

History

07 May 2026, 18:13

Type	Values Removed	Values Added
CPE		cpe:2.3:a:netboxlabs:netbox-docker::::::::
First Time		Netboxlabs Netboxlabs netbox-docker
CWE		CWE-798
Summary		(es) netbox-docker anterior a la versión 2.5.0 tiene una cuenta de superusuario con credenciales predeterminadas (contraseña 'admin' para la cuenta 'admin', y el valor 0123456789abcdef0123456789abcdef01234567 para SUPERUSER_API_TOKEN). En la práctica, en la Internet pública, casi todos los usuarios cambiaron la contraseña, pero solo alrededor del 90% cambió el token. Tener un valor de token predeterminado fue intencional y fue valioso para el caso de uso principal previsto del producto netbox-docker (redes de desarrollo aisladas). Algunos usuarios se embarcaron en un esfuerzo para reutilizar netbox-docker para producción. La documentación para este esfuerzo indicaba que los valores predeterminados no debían usarse. Sin embargo, la instalación no garantizaba valores no predeterminados. El Proveedor estaba al tanto de la asignación del ID de CVE y no se opuso a la asignación.
References	~~() https://github.com/netbox-community/netbox-docker/issues/953 -~~	() https://github.com/netbox-community/netbox-docker/issues/953 - Exploit, Issue Tracking
References	~~() https://github.com/netbox-community/netbox-docker/pull/959 -~~	() https://github.com/netbox-community/netbox-docker/pull/959 - Issue Tracking, Patch
References	~~() https://github.com/netbox-community/netbox-docker/releases/tag/2.5.0 -~~	() https://github.com/netbox-community/netbox-docker/releases/tag/2.5.0 - Release Notes

11 Mar 2026, 06:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 06:17

Updated : 2026-05-07 18:13

NVD link : CVE-2023-27573

Mitre link : CVE-2023-27573

CVE.ORG link : CVE-2023-27573

JSON object : View

Products Affected

netboxlabs

netbox-docker

CWE

CWE-1392

Use of Default Credentials

CWE-798

Use of Hard-coded Credentials

9.0 /10