Nixpkgs security tracker

Untriaged

Permalink CVE-2026-40864

5.4 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): Low (L)

created 1 week, 3 days ago Activity log

Created suggestion 1 week, 3 days ago

JupyterHub: Cross-origin form POSTs bypass XSRF

JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker's server. This issue has been fixed in version 5.4.5. If developers are unable to immediately upgrade, they can temporarily mitigate this issue by dropping requests to JupyterHub with Sec-Fetch-Mode: no-cors if they are using a reverse proxy.

References

https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-m68r-v472-jgq9 x_refsource_CONFIRM
https://github.com/jupyterhub/jupyterhub/commit/9c5ec277d3cda5a59de2d8c8117efa77bd941127 x_refsource_MISC

Affected products

jupyterhub

==>= 4.1.0, < 5.4.5

Matching in nixpkgs

pkgs.python312Packages.jupyterhub

Serves multiple Jupyter notebook instances

nixos-25.11 5.4.2
- nixos-25.11-small 5.4.2
- nixpkgs-25.11-darwin 5.4.2

pkgs.python313Packages.jupyterhub

Serves multiple Jupyter notebook instances

nixos-unstable 5.4.5
- nixpkgs-unstable 5.4.6
- nixos-unstable-small 5.4.6
nixos-25.11 5.4.2
- nixos-25.11-small 5.4.2
- nixpkgs-25.11-darwin 5.4.2

pkgs.python314Packages.jupyterhub

Serves multiple Jupyter notebook instances

nixos-unstable 5.4.5
- nixpkgs-unstable 5.4.6
- nixos-unstable-small 5.4.6

pkgs.python312Packages.jupyterhub-systemdspawner

JupyterHub Spawner using systemd for resource isolation

nixos-25.11 1.0.2
- nixos-25.11-small 1.0.2
- nixpkgs-25.11-darwin 1.0.2

pkgs.python313Packages.jupyterhub-systemdspawner

JupyterHub Spawner using systemd for resource isolation

nixos-unstable 1.0.2
- nixpkgs-unstable 1.0.2
- nixos-unstable-small 1.0.2
nixos-25.11 1.0.2
- nixos-25.11-small 1.0.2
- nixpkgs-25.11-darwin 1.0.2

pkgs.python314Packages.jupyterhub-systemdspawner

JupyterHub Spawner using systemd for resource isolation

nixos-unstable 1.0.2
- nixpkgs-unstable 1.0.2
- nixos-unstable-small 1.0.2

pkgs.python312Packages.jupyterhub-tmpauthenticator

Simple Jupyterhub authenticator that allows anyone to log in

nixos-25.11 1.0.0
- nixos-25.11-small 1.0.0
- nixpkgs-25.11-darwin 1.0.0

pkgs.python313Packages.jupyterhub-tmpauthenticator

Simple Jupyterhub authenticator that allows anyone to log in

nixos-unstable 1.0.0
- nixpkgs-unstable 1.0.0
- nixos-unstable-small 1.0.0
nixos-25.11 1.0.0
- nixos-25.11-small 1.0.0
- nixpkgs-25.11-darwin 1.0.0

pkgs.python314Packages.jupyterhub-tmpauthenticator

Simple Jupyterhub authenticator that allows anyone to log in

nixos-unstable 1.0.0
- nixpkgs-unstable 1.0.0
- nixos-unstable-small 1.0.0

pkgs.python312Packages.jupyterhub-ldapauthenticator

Simple LDAP Authenticator Plugin for JupyterHub

nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

pkgs.python313Packages.jupyterhub-ldapauthenticator

Simple LDAP Authenticator Plugin for JupyterHub

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

pkgs.python314Packages.jupyterhub-ldapauthenticator

Simple LDAP Authenticator Plugin for JupyterHub

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2

Package maintainers

@natsukium Tomoya Otabi <nixpkgs@natsukium.com>
@thomasjm Tom McLaughlin <tom@codedown.io>
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
@chiroptical Barry Moore II <chiroptical@gmail.com>

Untriaged

Permalink CVE-2026-33709

created 1 month, 4 weeks ago Activity log

Created suggestion 1 month, 4 weeks ago

JupyterHub has an Open Redirect Vulnerability

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to version 5.4.4, an open redirect vulnerability in JupyterHub allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. This issue has been patched in version 5.4.4.