CVE-2026-34052
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send repeated requests with unique nonces to gradually exhaust server memory, causing a denial of service.
Patches
- upgrade jupyterhub-litauthenticator to 1.6.3
AnalysisAI
Memory exhaustion denial of service in jupyterhub-litauthenticator 1.6.2 and earlier allows unauthenticated remote attackers to crash the LTI 1.1 validator by submitting repeated requests with unique OAuth nonces. The vulnerability exists because nonces are stored in an unbounded class-level dictionary before signature validation occurs, enabling an attacker with knowledge of a valid consumer key to gradually exhaust server memory without authentication. EPSS score of 5.9 (medium-high) reflects the network attack vector and practical exploitability, though the requirement to know a valid consumer key and achieve high authentication complexity moderates real-world risk.
Technical ContextAI
The LTI 1.1 validator component in jupyterhub-litauthenticator implements OAuth 1.0-based authentication for learning tools. The vulnerability stems from a resource management failure (CWE-401) where nonces used to prevent replay attacks are accumulated in a class-level dictionary without a cleanup mechanism or size limit. Because nonces are stored before cryptographic signature validation, an attacker does not need to forge valid signatures-they only need to know a legitimate consumer key (typically configured publicly) to generate requests that populate the nonce dictionary indefinitely. Each unique nonce consumes memory until the process is exhausted, triggering a denial of service. This impacts any JupyterHub deployment using ltiauthenticator for LTI-based single sign-on integration, which is common in educational environments.
RemediationAI
Vendor-released patch: upgrade jupyterhub-litauthenticator to version 1.6.3 or later, which implements bounded nonce storage and cleanup to prevent unbounded memory growth. Installation via pip: pip install --upgrade jupyterhub-litauthenticator>=1.6.3. Organizations unable to patch immediately should consider temporarily disabling LTI authentication and using alternative authentication methods, or implementing network-level rate limiting and request filtering to restrict repeated nonce submissions from single sources. Ensure consumer keys are properly secured and not exposed in public configuration repositories. Review deployment documentation at https://github.com/jupyterhub/ltiauthenticator for configuration best practices.
Same weakness CWE-401 – Memory Leak
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8mxq-7xr7-2fxj