Jupyter Notebook CVE-2026-40171
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 8 pypi packages depend on jupyterlab (2 direct, 6 indirect)
- 2 pypi packages depend on notebook (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.5.7 and other introduced versions.
DescriptionGitHub Advisory
Impact
A stored Cross-Site Scripting (XSS) vulnerability in Jupyter Notebook allows attackers to steal authentication tokens from users who open malicious notebook files and interact with elements that the attacker can make look indistinguishable from legitimate controls (single click interaction).
The vulnerability enables complete account takeover through the Jupyter REST API, allowing the attacker to:
- Read all files
- Modify/create files
- Access running kernels and execute arbitrary code
- Create terminals for shell access
Patches
Jupyter Notebook 7.5.6 and JupyterLab 4.5.7 include patches for this vulnerability.
Workarounds
The help extension can be disabled via CLI:
jupyter labextension disable @jupyter-notebook/help-extension
jupyter labextension disable @jupyterlab/help-extensionHardening
The patched versions include a toggle to disable the command linker functionality altogether, for example via overrides.json:
{
"@jupyterlab/apputils-extension:sanitizer": {
"allowCommandLinker": false
}
}Resources
- https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files
Acknowledgments
Reported by Daniel Teixeira - NVIDIA AI Red Team
AnalysisAI
Stored XSS in Jupyter Notebook's CommandLinker feature enables authentication token theft through malicious notebook files, leading to complete account takeover. Attackers craft notebook files with disguised controls that, when clicked once by victims, execute arbitrary code via the Jupyter REST API, granting full filesystem access and kernel control. Reported by NVIDIA AI Red Team. Vendor-released patches available: Jupyter Notebook 7.5.6 and JupyterLab 4.5.7. No public exploit code identified at time of analysis, but proof-of-concept demonstrated internally by NVIDIA researchers. This vulnerability targets data science and ML engineering environments where notebook sharing is common practice.
Technical ContextAI
The vulnerability resides in the CommandLinker functionality within Jupyter Notebook's help extension components (@jupyter-notebook/help-extension and @jupyterlab/help-extension). CommandLinker allows Markdown output and files to embed executable commands, intended for legitimate UI automation. The CWE-79 stored XSS flaw occurs when malicious actors craft notebook files containing script payloads that the sanitizer fails to neutralize. When a victim opens the notebook and interacts with what appears to be normal UI elements, the payload executes in the browser context with the user's authentication token. Jupyter's architecture uses token-based authentication for its REST API, which controls kernels, filesystem operations, and terminal access. Successful exploitation leverages the fact that Jupyter runs a local web server where JavaScript can access authentication tokens stored in browser memory or cookies, then use those tokens to make authenticated API calls. Affected packages include both npm (JavaScript) and pip (Python) distributions, indicating the flaw spans the front-end rendering layer.
RemediationAI
Upgrade to Jupyter Notebook 7.5.6 or JupyterLab 4.5.7, which include patches that fix the CommandLinker sanitization flaw. For environments unable to immediately patch, disable the vulnerable help extensions via CLI commands: 'jupyter labextension disable @jupyter-notebook/help-extension' and 'jupyter labextension disable @jupyterlab/help-extension'. This workaround prevents exploitation but removes help functionality. As additional hardening in patched versions, administrators can disable the CommandLinker feature entirely by creating an overrides.json configuration file with: '{"@jupyterlab/apputils-extension:sanitizer": {"allowCommandLinker": false}}'. This defense-in-depth measure prevents future CommandLinker-based attacks but breaks legitimate use of commands in Markdown. For multi-user deployments, implement notebook content scanning before allowing user uploads, restrict notebook sources to trusted repositories only, and educate users on risks of opening notebooks from untrusted origins. Advisory and documentation available at https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9 and https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files.
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c
The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct
NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft
NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G
The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de
The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a
nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-rch3-82jr-f9w9