Moderate severityGHSA Advisory· Published May 5, 2026· Updated May 5, 2026

JupyterHub has cross-origin form POSTs bypass XSRF (CWE-352)

CVE-2026-40864

Description

Summary

JupyterHub's XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, which they are not, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker's server.

Patches

Upgrade to JupyterHub 5.4.5.

Mitigations

If a reverse proxy is in use, drop requests to JupyterHub with Sec-Fetch-Mode: no-cors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
jupyterhubPyPI	>= 4.1.0, < 5.4.5	5.4.5

Affected products

Jupyterhub/JupyterhubGHSA
Range: >= 4.1.0, < 5.4.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-m68r-v472-jgq9ghsaADVISORY
github.com/jupyterhub/jupyterhub/security/advisories/GHSA-m68r-v472-jgq9ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000