Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

jupyterhub — Vulnerabilities & Security Advisories 21

Browse all 21 CVE security advisories affecting jupyterhub. AI-powered Chinese analysis, POCs, and references for each vulnerability.

JupyterHub serves as a multi-user hub that spawns, manages, and proxies multiple Jupyter Notebook instances, primarily facilitating collaborative data science and educational environments. Historically, its vulnerability profile has been dominated by server-side request forgery (SSRF), cross-site scripting (XSS), and privilege escalation flaws, often stemming from improper input validation or misconfigured authentication proxies. Recent records indicate twenty-one Common Vulnerabilities and Exposures, reflecting persistent challenges in securing the underlying Tornado web framework and proxy components. Notable incidents have included unauthorized access to user environments due to weak token management, allowing attackers to execute arbitrary code within isolated containers. These issues highlight the critical importance of strict isolation boundaries and regular dependency updates. While the platform remains a standard for interactive computing, its security posture relies heavily on rigorous configuration by administrators to mitigate risks associated with its complex architecture and extensive plugin ecosystem.

Top products by jupyterhub: oauthenticator jupyterhub jupyter-server-proxy ltiauthenticator kubespawner systemdspawner binderhub nbgitpuller firstuseauthenticator dockerspawner jupyter-remote-desktop-proxy
CVE IDTitleCVSSSeverityPublished
CVE-2026-34052 LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service) — ltiauthenticatorCWE-401 5.9 Medium2026-04-03
CVE-2026-33709 JupyterHub has an Open Redirect Vulnerability — jupyterhubCWE-601 6.1AIMediumAI2026-04-03
CVE-2026-33175 OAuthenticator: Authentication Bypass in Auth0OAuthenticator via Unverified Email Claims — oauthenticatorCWE-287 8.8 High2026-04-03
CVE-2025-32428 Jupyter Remote Desktop Proxy makes TigerVNC accessible via the network and not just via a UNIX socket as intended — jupyter-remote-desktop-proxyCWE-668 8.8AIHighAI2025-04-14
CVE-2023-25574 JupyterHub's LTI13Authenticator: JWT signature not validated — ltiauthenticatorCWE-347 10.0 Critical2025-02-25
CVE-2024-41942 JupyterHub has a privilege escalation vulnerability with the `admin:users` scope — jupyterhubCWE-274 7.2 High2024-08-08
CVE-2024-37300 Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0 — oauthenticatorCWE-863 8.1 High2024-06-12
CVE-2024-35225 Jupyter Server Proxy has a reflected XSS issue in host parameter — jupyter-server-proxyCWE-79 9.7 Critical2024-06-11
CVE-2024-28233 XSS in JupyterHub via Self-XSS leveraged by Cookie Tossing — jupyterhubCWE-79 8.1 High2024-03-27
CVE-2024-29033 GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace — oauthenticatorCWE-285 7.5 High2024-03-20
CVE-2024-28179 Jupyter Server Proxy's Websocket Proxying does not require authentication — jupyter-server-proxyCWE-306 9.1 Critical2024-03-20
CVE-2023-48311 Any image allowed by default — dockerspawnerCWE-20 8.0 High2023-12-08
CVE-2022-31027 Authorization Bypass Through User-Controlled Key when using CILogonOAuthenticator in oauthenticator — oauthenticatorCWE-639 4.2 Medium2022-06-06
CVE-2022-21697 SSRF vulnerability (requires authentication) — jupyter-server-proxyCWE-918 6.3 Medium2022-01-25
CVE-2021-41247 incomplete logout in JupyterHub — jupyterhubCWE-613 3.5 Low2021-11-04
CVE-2021-41194 Improper Access Control in jupyterhub-firstuseauthenticator — firstuseauthenticatorCWE-284 9.1 Critical2021-10-28
CVE-2021-39159 Remote code execution in Binderhub — binderhubCWE-94 9.6 Critical2021-08-25
CVE-2021-39160 Code injection in nbgitpuller — nbgitpullerCWE-94 9.6 Critical2021-08-25
CVE-2020-26261 user-readable api tokens in systemd units — systemdspawnerCWE-668 7.9 High2020-12-09
CVE-2020-26250 Base class whitelist configuration ignored in OAuthenticator — oauthenticatorCWE-863 6.3 Medium2020-12-01
CVE-2020-15110 Possible pod name collisions in jupyterhub-kubespawner — kubespawnerCWE-863 6.8 Medium2020-07-17

This page lists every published CVE security advisory associated with jupyterhub. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.