High severity8.8GHSA Advisory· Published May 13, 2026· Updated May 26, 2026
CVE-2026-42266
CVE-2026-42266
Description
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jupyterlabPyPI | >= 4.0.0, < 4.5.7 | 4.5.7 |
Affected products
7>= 4.0.0, <= 4.5.6+ 1 more
- (no CPE)range: >= 4.0.0, <= 4.5.6
- cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*range: >=4.0.0,<4.5.7
- osv-coords5 versionspkg:apk/chainguard/datahub-ingestionpkg:apk/chainguard/datahub-ingestion-fipspkg:bitnami/jupyterlabpkg:pypi/jupyterlabpkg:rpm/opensuse/python-jupyterlab&distro=openSUSE%20Tumbleweed
< 1.5.0.4-r0+ 4 more
- (no CPE)range: < 1.5.0.4-r0
- (no CPE)range: < 1.5.0.1-r2
- (no CPE)range: >= 4.0.0, < 4.5.7
- (no CPE)range: >= 4.0.0, < 4.5.7
- (no CPE)range: < 4.5.7-1.1
Patches
Vulnerability mechanics
References
7- github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7nvdPatchRelease NotesWEB
- github.com/advisories/GHSA-37w4-hwhx-4rc4ghsaADVISORY
- github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42266ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/jupyterlab/PYSEC-2026-164.yamlghsaWEB
- jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.htmlnvdProductWEB
- jupyterlab.readthedocs.io/en/latest/user/extensions.htmlnvdProductWEB
News mentions
0No linked articles in our index yet.