Skip to main content

Jupyter Server CVE-2026-40110

| EUVDEUVD-2026-27510 HIGH
Regular Expression without Anchors (CWE-777)
2026-05-05 https://github.com/jupyter-server/jupyter_server GHSA-24qx-w28j-9m6p
7.6
CVSS 4.0 · Vendor: https://github.com/jupyter-server/jupyter_server
Share

Severity by source

Vendor (https://github.com/jupyter-server/jupyter_server) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/jupyter-server/jupyter_server).

CVSS VectorVendor: https://github.com/jupyter-server/jupyter_server

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
May 05, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
May 05, 2026 - 22:22 NVD
7.6 (HIGH)
Source Code Evidence Fetched
May 05, 2026 - 17:31 vuln.today
Analysis Generated
May 05, 2026 - 17:31 vuln.today

DescriptionCVE.org

Jupyter Server uses re.match() to validate the Origin header against the allow_origin_pat configuration.

Since re.match() only anchors at the start of the string, an attacker who controls a domain like http://trusted.example.com.evil.com/ passes validation against a pattern intended to match only trusted.example.com.

Impact

<=2.17.0

Patches

057869a327c46730afede3eab0ca2d2e3e74acea, 49b34392feaa97735b3b777e3baf8f22f2a14ed8

Workarounds

Wrap your allow_origin_pat value with ^ and $

References

https://github.com/jupyter-server/jupyter_server/pull/603 https://docs.python.org/3/library/re.html#re.fullmatch https://docs.python.org/3/library/re.html#re.match

AnalysisAI

Cross-Origin Resource Sharing (CORS) bypass in Jupyter Server <= 2.17.0 allows attackers controlling malicious subdomains to bypass origin validation and access sensitive notebook data. The vulnerability stems from incorrect use of Python's re.match() function in the allow_origin_pat configuration, which only anchors at the start of strings. An attacker registering a domain like 'trusted.example.com.evil.com' can pass validation intended only for 'trusted.example.com', enabling unauthorized cross-origin requests to Jupyter sessions. Fixed in version 2.18.0 via commits 057869a and 49b3439. No active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability (CWE-777: Regular Expression without Anchors) exploits a common regex antipattern in Python. Jupyter Server's CORS origin validation uses re.match() to check incoming Origin headers against the allow_origin_pat configuration pattern. Python's re.match() implicitly anchors only at the beginning of the string (equivalent to prepending '^' but not appending '$'). This means a pattern like 'trusted\.example\.com' will match both 'trusted.example.com' AND 'trusted.example.com.evil.com' because re.match() only verifies the start of the string. The correct approach is using re.fullmatch() (Python 3.4+) which anchors at both start and end, or manually wrapping patterns with '^pattern$'. The affected component is pkg:pip/jupyter-server, specifically the CORS validation middleware that processes HTTP Origin headers before allowing cross-origin API requests to notebook servers.

RemediationAI

Upgrade Jupyter Server to version 2.18.0 or later, which replaces re.match() with proper anchoring via commits 057869a327c46730afede3eab0ca2d2e3e74acea and 49b34392feaa97735b3b777e3baf8f22f2a14ed8. Installation via pip: 'pip install --upgrade jupyter-server>=2.18.0'. If immediate patching is not feasible, apply the workaround by modifying your Jupyter Server configuration to wrap all allow_origin_pat values with regex anchors '^' at the start and '$' at the end (e.g., change 'trusted\.example\.com' to '^trusted\.example\.com$'). This workaround provides equivalent protection but requires manual configuration changes and testing to ensure legitimate origins still match. As a compensating control, review and minimize the scope of allow_origin_pat patterns to only absolutely necessary domains, or disable CORS entirely if cross-origin access is not required (noting this will break browser-based integrations requiring cross-origin requests). Full advisory and patch details: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p and https://github.com/jupyter-server/jupyter_server/pull/603.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-40110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy