Skip to main content

Jupyter Notebook CVE-2026-40171

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-30 https://github.com/jupyter/notebook GHSA-rch3-82jr-f9w9
8.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
May 06, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
May 06, 2026 - 20:22 NVD
8.4 (HIGH)
Source Code Evidence Fetched
Apr 30, 2026 - 17:47 vuln.today
Analysis Generated
Apr 30, 2026 - 17:47 vuln.today
Analysis Generated
Apr 30, 2026 - 17:30 vuln.today
CVE Published
Apr 30, 2026 - 17:25 nvd
HIGH

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 pypi packages depend on jupyterlab (2 direct, 6 indirect)
  • 2 pypi packages depend on notebook (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.5.7 and other introduced versions.

DescriptionGitHub Advisory

Impact

A stored Cross-Site Scripting (XSS) vulnerability in Jupyter Notebook allows attackers to steal authentication tokens from users who open malicious notebook files and interact with elements that the attacker can make look indistinguishable from legitimate controls (single click interaction).

The vulnerability enables complete account takeover through the Jupyter REST API, allowing the attacker to:

  1. Read all files
  2. Modify/create files
  3. Access running kernels and execute arbitrary code
  4. Create terminals for shell access

Patches

Jupyter Notebook 7.5.6 and JupyterLab 4.5.7 include patches for this vulnerability.

Workarounds

The help extension can be disabled via CLI:

jupyter labextension disable @jupyter-notebook/help-extension
jupyter labextension disable @jupyterlab/help-extension

Hardening

The patched versions include a toggle to disable the command linker functionality altogether, for example via overrides.json:

json
{
  "@jupyterlab/apputils-extension:sanitizer": {
    "allowCommandLinker": false
  }
}

Resources

  • https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files

Acknowledgments

Reported by Daniel Teixeira - NVIDIA AI Red Team

AnalysisAI

Stored XSS in Jupyter Notebook's CommandLinker feature enables authentication token theft through malicious notebook files, leading to complete account takeover. Attackers craft notebook files with disguised controls that, when clicked once by victims, execute arbitrary code via the Jupyter REST API, granting full filesystem access and kernel control. Reported by NVIDIA AI Red Team. Vendor-released patches available: Jupyter Notebook 7.5.6 and JupyterLab 4.5.7. No public exploit code identified at time of analysis, but proof-of-concept demonstrated internally by NVIDIA researchers. This vulnerability targets data science and ML engineering environments where notebook sharing is common practice.

Technical ContextAI

The vulnerability resides in the CommandLinker functionality within Jupyter Notebook's help extension components (@jupyter-notebook/help-extension and @jupyterlab/help-extension). CommandLinker allows Markdown output and files to embed executable commands, intended for legitimate UI automation. The CWE-79 stored XSS flaw occurs when malicious actors craft notebook files containing script payloads that the sanitizer fails to neutralize. When a victim opens the notebook and interacts with what appears to be normal UI elements, the payload executes in the browser context with the user's authentication token. Jupyter's architecture uses token-based authentication for its REST API, which controls kernels, filesystem operations, and terminal access. Successful exploitation leverages the fact that Jupyter runs a local web server where JavaScript can access authentication tokens stored in browser memory or cookies, then use those tokens to make authenticated API calls. Affected packages include both npm (JavaScript) and pip (Python) distributions, indicating the flaw spans the front-end rendering layer.

RemediationAI

Upgrade to Jupyter Notebook 7.5.6 or JupyterLab 4.5.7, which include patches that fix the CommandLinker sanitization flaw. For environments unable to immediately patch, disable the vulnerable help extensions via CLI commands: 'jupyter labextension disable @jupyter-notebook/help-extension' and 'jupyter labextension disable @jupyterlab/help-extension'. This workaround prevents exploitation but removes help functionality. As additional hardening in patched versions, administrators can disable the CommandLinker feature entirely by creating an overrides.json configuration file with: '{"@jupyterlab/apputils-extension:sanitizer": {"allowCommandLinker": false}}'. This defense-in-depth measure prevents future CommandLinker-based attacks but breaks legitimate use of commands in Markdown. For multi-user deployments, implement notebook content scanning before allowing user uploads, restrict notebook sources to trusted repositories only, and educate users on risks of opening notebooks from untrusted origins. Advisory and documentation available at https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9 and https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files.

More in Nvidia

View all
CVE-2016-1741 CRITICAL POC
9.8 Mar 24

The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c

CVE-2013-0109 HIGH POC
7.2 Apr 08

The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not

CVE-2019-5684 CRITICAL POC
10.0 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2026-24207 CRITICAL POC
9.8 May 20

Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct

CVE-2019-5685 CRITICAL POC
9.8 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2025-23359 HIGH POC
8.3 Feb 12

NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co

CVE-2016-8812 HIGH POC
8.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G

CVE-2016-1861 HIGH POC
7.8 Jun 19

The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi

CVE-2024-0132 HIGH POC
8.3 Sep 26

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de

CVE-2016-1846 HIGH POC
7.8 May 20

The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a

CVE-2015-7865 HIGH POC
7.7 Nov 24

nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before

CVE-2016-8811 HIGH POC
7.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-40171 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy