High severity8.8GHSA Advisory· Published May 13, 2026· Updated May 13, 2026
CVE-2026-42266
CVE-2026-42266
Description
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jupyterlabPyPI | >= 4.0.0, < 4.5.7 | 4.5.7 |
Affected products
1- Range: >= 4.0.0, <= 4.5.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-37w4-hwhx-4rc4ghsaADVISORY
- github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7ghsaWEB
- github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4nvdWEB
- jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.htmlghsaWEB
- jupyterlab.readthedocs.io/en/latest/user/extensions.htmlghsaWEB
News mentions
0No linked articles in our index yet.