Skip to main content

Oauthenticator CVE-2026-33175

| EUVDEUVD-2026-18878 HIGH
Improper Authentication (CWE-287)
2026-04-03 GitHub_M GHSA-rrvg-cxh4-qhrv
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 04, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 03, 2026 - 22:15 euvd
EUVD-2026-18878
Analysis Generated
Apr 03, 2026 - 22:15 vuln.today
CVE Published
Apr 03, 2026 - 21:56 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 17 pypi packages depend on oauthenticator (17 direct, 0 indirect)

Ecosystem-wide dependent count for version 17.4.0.

DescriptionGitHub Advisory

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0.

AnalysisAI

Authentication bypass in JupyterHub OAuthenticator <17.4.0 allows authenticated attackers with unverified email addresses on Auth0 tenants to login with arbitrary usernames, enabling account takeover when email is configured as the username claim. The vulnerability requires low-complexity exploitation over the network with low privileges (CVSS 8.8, AV:N/AC:L/PR:L). No public exploit identified at time of analysis, though the vendor has released a security advisory with technical details. EPSS data not available, but the authentication bypass nature and account takeover potential make this a priority for organizations using JupyterHub with Auth0 OAuth integration.

Technical ContextAI

OAuthenticator is a pluggable authentication framework that integrates OAuth2 identity providers with JupyterHub, allowing single sign-on capabilities. This vulnerability (CWE-287: Improper Authentication) stems from insufficient email verification enforcement in the Auth0 authentication flow. When JupyterHub deployments configure OAuthenticator to use email addresses as the username_claim parameter, the system trusts unverified email claims from Auth0 tokens. Since Auth0 allows users to register with unverified email addresses, an attacker can create an account claiming any email address (including those of legitimate users) and bypass proper authentication. The affected product is jupyterhub:oauthenticator (CPE 2.3:a:jupyterhub:oauthenticator), specifically all versions prior to 17.4.0. The vulnerability specifically impacts Auth0 OAuth provider integration; other OAuth providers may handle email verification differently.

RemediationAI

Upgrade JupyterHub OAuthenticator to version 17.4.0 or later, which includes authentication fixes to properly validate email verification status from Auth0 tokens. The patch is available at https://github.com/jupyterhub/oauthenticator/releases/tag/17.4.0 with the specific commit fix at https://github.com/jupyterhub/oauthenticator/commit/f0c7002dc36e41efae0f674033cf7888a21d96f9. For organizations unable to immediately upgrade, implement compensating controls by either switching from email-based username_claim to verified unique identifiers (such as Auth0 user_id), enabling and enforcing email verification requirements in Auth0 tenant settings, or implementing additional username validation logic at the JupyterHub layer. Review access logs for suspicious authentication patterns or username conflicts that may indicate exploitation attempts. After patching, conduct an audit of existing user accounts to identify any potentially compromised accounts created through unverified email claims.

Share

CVE-2026-33175 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy