diff --git a/common/libnetwork/cni/cni_exec.go b/common/libnetwork/cni/cni_exec.go
index 79d7ef120c..4b7ed8c6d9 100644
--- a/common/libnetwork/cni/cni_exec.go
+++ b/common/libnetwork/cni/cni_exec.go
@@ -26,8 +26,10 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 
 	"github.com/containernetworking/cni/pkg/invoke"
 	"github.com/containernetworking/cni/pkg/version"
@@ -80,6 +82,16 @@ func (e *cniExec) ExecPlugin(ctx context.Context, pluginPath string, stdinData [
 		c.Env = append(c.Env, "XDG_RUNTIME_DIR=")
 	}
 
+	// The CNI plugins need access to iptables in $PATH. As it turns out debian doesn't put
+	// /usr/sbin in $PATH for rootless users. This will break rootless networking completely.
+	// We might break existing users and we cannot expect everyone to change their $PATH so
+	// let's add /usr/sbin to $PATH ourselves.
+	path := os.Getenv("PATH")
+	if !strings.Contains(path, "/usr/sbin") {
+		path += ":/usr/sbin"
+		c.Env = append(c.Env, "PATH="+path)
+	}
+
 	err := c.Run()
 	if err != nil {
 		return nil, annotatePluginError(err, pluginPath, stdout.Bytes(), stderr.Bytes())
diff --git a/common/libnetwork/netavark/exec.go b/common/libnetwork/netavark/exec.go
index f2c82359ad..e3f9047667 100644
--- a/common/libnetwork/netavark/exec.go
+++ b/common/libnetwork/netavark/exec.go
@@ -10,6 +10,7 @@ import (
 	"os"
 	"os/exec"
 	"strconv"
+	"strings"
 
 	"github.com/sirupsen/logrus"
 )
@@ -79,6 +80,15 @@ func getRustLogEnv() string {
 func (n *netavarkNetwork) execNetavark(args []string, needPlugin bool, stdin, result interface{}) error {
 	// set the netavark log level to the same as the podman
 	env := append(os.Environ(), getRustLogEnv())
+	// Netavark need access to iptables in $PATH. As it turns out debian doesn't put
+	// /usr/sbin in $PATH for rootless users. This will break rootless networking completely.
+	// We might break existing users and we cannot expect everyone to change their $PATH so
+	// let's add /usr/sbin to $PATH ourselves.
+	path := os.Getenv("PATH")
+	if !strings.Contains(path, "/usr/sbin") {
+		path += ":/usr/sbin"
+		env = append(env, "PATH="+path)
+	}
 	// if we run with debug log level lets also set RUST_BACKTRACE=1 so we can get the full stack trace in case of panics
 	if logrus.IsLevelEnabled(logrus.DebugLevel) {
 		env = append(env, "RUST_BACKTRACE=1")