CVE-2026-42266— jupyterlab: Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request.

jupyterlab: Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request.

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

参数注入或修改

JupyterLab 参数注入漏洞

JupyterLab是JupyterLab开源的一个用于交互式和可重复计算的可扩展环境，基于 Jupyter Notebook 和架构。 jupyterlab 4.0.0版本至4.5.6版本存在参数注入漏洞，该漏洞源于PyPI Extension Manager的允许列表未正确执行，导致扩展安装不受限于默认PyPI索引。

N/A

N/A