Jupyterhub
by Jupyterhub
Source repositories
CVEs (1)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40864 | 0.00 | — | — | May 5, 2026 | ## Summary JupyterHub's XSRF protection (updated in 4.1.0) inappropriately treated requests with `Sec-Fetch-Mode: no-cors` as same-origin requests, which they are not, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as `/hub/spawn` and `/hub/accept-share`, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker's server. ## Patches Upgrade to JupyterHub 5.4.5. ## Mitigations If a reverse proxy is in use, drop requests to JupyterHub with `Sec-Fetch-Mode: no-cors`. |
- CVE-2026-40864May 5, 2026risk 0.00cvss —epss —
## Summary JupyterHub's XSRF protection (updated in 4.1.0) inappropriately treated requests with `Sec-Fetch-Mode: no-cors` as same-origin requests, which they are not, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as `/hub/spawn` and `/hub/accept-share`, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker's server. ## Patches Upgrade to JupyterHub 5.4.5. ## Mitigations If a reverse proxy is in use, drop requests to JupyterHub with `Sec-Fetch-Mode: no-cors`.