User password update via REST API is not hashed #8879

New Issue

adam · 2025-12-29T20:42:27+01:00

adam commented

2025-12-29 20:42:27 +01:00

Originally created by @fanshan on GitHub (Nov 23, 2023).

Originally assigned to: @fanshan on GitHub.

NetBox version

v3.6.5

Python version

3.11

Steps to Reproduce

Create a new User with password (username: test, password: test). For the request use a user with user creation permission:

curl --location 'http://netbox/api/users/users/' \
--header 'Authorization: Token 45202..6e9e092df' \
--header 'Content-Type: application/json' \
--data '{
    "username": "test",
    "password": "test"
}'

Update the new created user's password with a new one. For the request use a user with user change permission and the created user {id}:

curl --location --request PATCH 'http://netbox/api/users/users/{id}/' \
--header 'Authorization: Token 45202..6e9e092df' \
--header 'Content-Type: application/json' \
--data '{
    "password": "newpassword"
}'

Expected Behavior

The password stored on the database must be hashed, so user with the password updated is able to login on the Netbox instance.

Observed Behavior

The password stored on the database is not hashed, so user with the password updated is not able to login on the Netbox instance.

Connected on the database, do (where {id} is the created user's id) :

SELECT password FROM auth_user WHERE id={id}

Result "newpassword"

Originally created by @fanshan on GitHub (Nov 23, 2023). Originally assigned to: @fanshan on GitHub. ### NetBox version v3.6.5 ### Python version 3.11 ### Steps to Reproduce 1. Create a new User with password (username: test, password: test). For the request use a user with user creation permission: ``` curl --location 'http://netbox/api/users/users/' \ --header 'Authorization: Token 45202..6e9e092df' \ --header 'Content-Type: application/json' \ --data '{ "username": "test", "password": "test" }' ``` 2. Update the new created user's password with a new one. For the request use a user with user change permission and the created user `{id}`: ``` curl --location --request PATCH 'http://netbox/api/users/users/{id}/' \ --header 'Authorization: Token 45202..6e9e092df' \ --header 'Content-Type: application/json' \ --data '{ "password": "newpassword" }' ``` ### Expected Behavior The password stored on the database must be hashed, so user with the password updated is able to login on the Netbox instance. ### Observed Behavior The password stored on the database is not hashed, so user with the password updated is not able to login on the Netbox instance. Connected on the database, do (where `{id}` is the created user's id) : `SELECT password FROM auth_user WHERE id={id}` Result `"newpassword"`

adam added the type: bug status: accepted severity: medium labels 2025-12-29 20:42:27 +01:00

adam closed this issue

2025-12-29 20:42:27 +01:00

Sign in to join this conversation.

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#8879