Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 17 pypi packages depend on oauthenticator (17 direct, 0 indirect)
Ecosystem-wide dependent count for version 17.4.0.
DescriptionGitHub Advisory
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0.
AnalysisAI
Authentication bypass in JupyterHub OAuthenticator <17.4.0 allows authenticated attackers with unverified email addresses on Auth0 tenants to login with arbitrary usernames, enabling account takeover when email is configured as the username claim. The vulnerability requires low-complexity exploitation over the network with low privileges (CVSS 8.8, AV:N/AC:L/PR:L). No public exploit identified at time of analysis, though the vendor has released a security advisory with technical details. EPSS data not available, but the authentication bypass nature and account takeover potential make this a priority for organizations using JupyterHub with Auth0 OAuth integration.
Technical ContextAI
OAuthenticator is a pluggable authentication framework that integrates OAuth2 identity providers with JupyterHub, allowing single sign-on capabilities. This vulnerability (CWE-287: Improper Authentication) stems from insufficient email verification enforcement in the Auth0 authentication flow. When JupyterHub deployments configure OAuthenticator to use email addresses as the username_claim parameter, the system trusts unverified email claims from Auth0 tokens. Since Auth0 allows users to register with unverified email addresses, an attacker can create an account claiming any email address (including those of legitimate users) and bypass proper authentication. The affected product is jupyterhub:oauthenticator (CPE 2.3:a:jupyterhub:oauthenticator), specifically all versions prior to 17.4.0. The vulnerability specifically impacts Auth0 OAuth provider integration; other OAuth providers may handle email verification differently.
RemediationAI
Upgrade JupyterHub OAuthenticator to version 17.4.0 or later, which includes authentication fixes to properly validate email verification status from Auth0 tokens. The patch is available at https://github.com/jupyterhub/oauthenticator/releases/tag/17.4.0 with the specific commit fix at https://github.com/jupyterhub/oauthenticator/commit/f0c7002dc36e41efae0f674033cf7888a21d96f9. For organizations unable to immediately upgrade, implement compensating controls by either switching from email-based username_claim to verified unique identifiers (such as Auth0 user_id), enabling and enforcing email verification requirements in Auth0 tenant settings, or implementing additional username validation logic at the JupyterHub layer. Review access logs for suspicious authentication patterns or username conflicts that may indicate exploitation attempts. After patching, conduct an audit of existing user accounts to identify any potentially compromised accounts created through unverified email claims.
More in Oauthenticator
View allOAuthenticator provides plugins for JupyterHub to use common OAuth providers, as well as base classes for writing one's
An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x before 0.6.2 and 0.7.x before 0.7.3. Rated hi
OAuthenticator is an OAuth token library for the JupyerHub login handler. Rated medium severity (CVSS 6.5), this vulnera
OAuthenticator is an OAuth login mechanism for JupyterHub. Rated medium severity (CVSS 6.3), this vulnerability is remot
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18878
GHSA-rrvg-cxh4-qhrv