Skip to main content

CVE-2026-34052

MEDIUM
Memory Leak (CWE-401)
2026-04-03 https://github.com/jupyterhub/ltiauthenticator GHSA-8mxq-7xr7-2fxj
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Apr 04, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 22:15 vuln.today
CVE Published
Apr 03, 2026 - 21:42 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Summary

The LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send repeated requests with unique nonces to gradually exhaust server memory, causing a denial of service.

Patches

  • upgrade jupyterhub-litauthenticator to 1.6.3

AnalysisAI

Memory exhaustion denial of service in jupyterhub-litauthenticator 1.6.2 and earlier allows unauthenticated remote attackers to crash the LTI 1.1 validator by submitting repeated requests with unique OAuth nonces. The vulnerability exists because nonces are stored in an unbounded class-level dictionary before signature validation occurs, enabling an attacker with knowledge of a valid consumer key to gradually exhaust server memory without authentication. EPSS score of 5.9 (medium-high) reflects the network attack vector and practical exploitability, though the requirement to know a valid consumer key and achieve high authentication complexity moderates real-world risk.

Technical ContextAI

The LTI 1.1 validator component in jupyterhub-litauthenticator implements OAuth 1.0-based authentication for learning tools. The vulnerability stems from a resource management failure (CWE-401) where nonces used to prevent replay attacks are accumulated in a class-level dictionary without a cleanup mechanism or size limit. Because nonces are stored before cryptographic signature validation, an attacker does not need to forge valid signatures-they only need to know a legitimate consumer key (typically configured publicly) to generate requests that populate the nonce dictionary indefinitely. Each unique nonce consumes memory until the process is exhausted, triggering a denial of service. This impacts any JupyterHub deployment using ltiauthenticator for LTI-based single sign-on integration, which is common in educational environments.

RemediationAI

Vendor-released patch: upgrade jupyterhub-litauthenticator to version 1.6.3 or later, which implements bounded nonce storage and cleanup to prevent unbounded memory growth. Installation via pip: pip install --upgrade jupyterhub-litauthenticator>=1.6.3. Organizations unable to patch immediately should consider temporarily disabling LTI authentication and using alternative authentication methods, or implementing network-level rate limiting and request filtering to restrict repeated nonce submissions from single sources. Ensure consumer keys are properly secured and not exposed in public configuration repositories. Review deployment documentation at https://github.com/jupyterhub/ltiauthenticator for configuration best practices.

Share

CVE-2026-34052 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy