From 5ad4e952078d7f44111fec248928ab8db966d6c8 Mon Sep 17 00:00:00 2001
From: Martin Hauser <mhauser@netboxlabs.com>
Date: Thu, 2 Apr 2026 18:42:06 +0200
Subject: [PATCH] Closes #21720: Improve validation of URLs containing HTTP
 basic authentication (#21822)

Fixes #21720
---
 netbox/utilities/validators.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/netbox/utilities/validators.py b/netbox/utilities/validators.py
index 966bdf40f..47622d4d5 100644
--- a/netbox/utilities/validators.py
+++ b/netbox/utilities/validators.py
@@ -31,11 +31,11 @@ class EnhancedURLValidator(URLValidator):
     fqdn_re = URLValidator.hostname_re + URLValidator.domain_re + URLValidator.tld_re
     host_res = [URLValidator.ipv4_re, URLValidator.ipv6_re, fqdn_re, URLValidator.hostname_re]
     regex = _lazy_re_compile(
-        r'^(?:[a-z0-9\.\-\+]*)://'          # Scheme (enforced separately)
-        r'(?:\S+(?::\S*)?@)?'               # HTTP basic authentication
-        r'(?:' + '|'.join(host_res) + ')'   # IPv4, IPv6, FQDN, or hostname
-        r'(?::\d{1,5})?'                    # Port number
-        r'(?:[/?#][^\s]*)?'                 # Path
+        r'^(?:[a-z0-9\.\-\+]*)://'           # Scheme (enforced separately)
+        r'(?:[^\s:@/]+(?::[^\s:@/]*)?@)?'    # HTTP basic authentication
+        r'(?:' + '|'.join(host_res) + ')'    # IPv4, IPv6, FQDN, or hostname
+        r'(?::\d{1,5})?'                     # Port number
+        r'(?:[/?#][^\s]*)?'                  # Path
         r'\Z', re.IGNORECASE)
     schemes = None