CVE-2026-6657
Description
Jupyter-server versions 1.12.0-2.17.0 are vulnerable to CORS bypass via re.match(), enabling phishing and RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jupyter-server versions 1.12.0-2.17.0 are vulnerable to CORS bypass via `re.match()`, enabling phishing and RCE.
Vulnerability
A vulnerability exists in jupyter-server versions 1.12.0 through 2.17.0 where the allow_origin_pat configuration can be bypassed due to improper use of re.match() for validating the Origin header. This function only anchors at the start of the string, allowing malicious domains like trusted.example.com.evil.com to match patterns intended for trusted.example.com [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious Origin header that partially matches a legitimate pattern. This can be achieved by appending an attacker-controlled domain after a valid one, tricking the server into accepting the request. This bypass affects CORS headers, WebSocket connections, referer validation, and login redirects [1].
Impact
Successful exploitation allows an attacker to bypass origin validation, potentially leading to phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses. The scope of the compromise depends on the specific context where the validation is bypassed [1].
Mitigation
Jupyter-server versions 1.12.0 through 2.17.0 are affected. A fix is available in jupyter-server version 2.18.0, released on 2024-06-03. Users are advised to upgrade to the patched version to address this vulnerability [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 1.12.0 - 2.17.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.