Is there a patch available for CVE-2026-40934?

Yes, a patch is available for CVE-2026-40934. Update the affected software to the latest version immediately.

Jupyter Server CVE-2026-40934

Q: What is the CVSS score of CVE-2026-40934?

CVE-2026-40934 has a CVSS 4.0 base score of 7.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-27513 HIGH

Insufficient Session Expiration (CWE-613)

2026-05-05 https://github.com/jupyter-server/jupyter_server

GHSA-5mrq-x3x5-8v8f

Information Disclosure Suse

7.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 05, 2026 - 23:02 EUVD

Re-analysis Queued

May 05, 2026 - 22:22 vuln.today

cvss_changed

Severity Changed

May 05, 2026 - 22:22 NVD

MEDIUM HIGH

CVSS changed

May 05, 2026 - 22:22 NVD

6.8 (MEDIUM) 7.6 (HIGH)

Source Code Evidence Fetched

May 05, 2026 - 18:00 vuln.today

Analysis Generated

May 05, 2026 - 18:00 vuln.today

DescriptionNVD

Summary

A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes.

The cookie secret used to sign authentication cookies is stored in a permanent file (~/.local/share/jupyter/runtime/jupyter_cookie_secret) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets.

PoC

Start a Jupyter server with password authentication: jupyter server password, jupyter server
Log in with the password and capture the authentication cookie (e.g., just login with a browser).
Change the password to revoke access: jupyter server password
Restart the server
Use the old stolen cookie => remains valid and provides full authenticated access.

Impact

All jupyter-server deployments using password authentication where security incidents may occur
Multi-user systems where one user's compromised session should be revocable by administrators
Shared or public-facing Jupyter servers where credential rotation is a security requirement
Any deployment where password changes are expected to revoke existing sessions

Patches

Jupyter Server 2.18+

Workaround

bash

rm ~/.local/share/jupyter/runtime/jupyter_cookie_secret
# Then restart the server

AnalysisAI

Jupyter Server allows authenticated users to maintain indefinite access even after password changes due to persistent authentication cookie secrets stored in an unrotated file. An attacker who obtains a valid authentication cookie can continue using it to access the server with full privileges regardless of subsequent password resets or server restarts, affecting all Jupyter Server deployments using password authentication.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-40934 vulnerability details – vuln.today

Back