JupyterLab CVE-2026-42266
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/jupyterlab/jupyterlab).
CVSS VectorVendor: https://github.com/jupyterlab/jupyterlab
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 pypi packages depend on jupyterlab (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.0.0.
DescriptionCVE.org
The allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab prior to 4.5.X. The PyPI Extension Manager was not contained to packages listed on the default PyPI index.
This has security implications for deployments that:
- have allow-listed specific extensions with aim to prevent users from installing packages
- have the kernel and terminals disabled or delegated to remote hosts (thus no access to install packages in the single-user server environment)
- have multi-tenant deployments that is not configured for untrusted users (as per documented on JupyterHub https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html)
- have the (default) PyPI Extension Manger enabled
Impact
An authenticated attacker - such as a student in a shared JupyterHub environment or a user in a multi-tenant JupyterLab deployment - can escalate their privileges. This might allow for data exfiltration, lateral movement within the network, and persistent compromise of the server infrastructure.
Patches
JupyterLab v4.5.7 contains the patch.
Users of applications that depend on JupyterLab, such as Notebook v7+, should update jupyterlab package too.
Workarounds
Switch to read-only extension manager by adding the following command line option:
--LabApp.extension_manager=readonlyor the following traitlet:
c.LabApp.extension_manager = 'readonly'You can confirm that the read-only manager is in use from GUI:
<img width="293" height="293" alt="image" src="https://github.com/user-attachments/assets/8016c809-633e-4ed0-a5bc-6bc4793caa0f" />
Note: configuration of a PyPI proxy with allow-listed packages is not sufficient to protect from this vulnerability.
Resources
- allow-list https://jupyterlab.readthedocs.io/en/stable/user/extensions.html#listing-configuration
- https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html
- https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations
AnalysisAI
Privilege escalation in JupyterLab 4.0.0 through 4.5.6 allows authenticated users to bypass extension allow-list controls and install arbitrary PyPI packages, enabling potential data exfiltration and lateral movement in multi-tenant deployments. The PyPI Extension Manager failed to enforce the allowed_extensions_uris configuration, permitting installation of packages outside the approved list. This vulnerability is particularly critical in shared educational environments (JupyterHub) and multi-tenant deployments where kernel/terminal access is restricted. Vendor-released patch available in JupyterLab v4.5.7. No public exploit identified at time of analysis, though exploitation requires only authenticated access with low complexity (CVSS AC:L).
Technical ContextAI
JupyterLab is a web-based interactive development environment for Jupyter notebooks, code, and data. The PyPI Extension Manager is a built-in GUI feature that allows users to discover and install Python extensions from the Python Package Index (PyPI). This vulnerability (CWE-20: Improper Input Validation) stems from insufficient enforcement of the allowed_extensions_uris configuration parameter, which administrators use to restrict installable extensions to a specific allow-list. The flaw exists in the server-side validation logic that processes extension installation requests, failing to properly validate that requested packages match the configured URI allow-list. This creates a policy discrepancy between the intended administrative controls and actual enforcement, effectively bypassing the security boundary meant to separate user capabilities from package installation privileges. Affected package identified via CPE: pkg:pip/jupyterlab versions 4.0.0 through 4.5.6.
RemediationAI
Upgrade JupyterLab to version 4.5.7 or later, which contains the validated patch for this vulnerability (release details at https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7). For deployments using applications that bundle JupyterLab such as Jupyter Notebook v7+, ensure the underlying jupyterlab package dependency is also updated to 4.5.7 or later. If immediate patching is not feasible, implement the workaround by switching to read-only extension manager mode using either command-line option --LabApp.extension_manager=readonly or configuration traitlet c.LabApp.extension_manager = 'readonly' in your JupyterLab configuration file. Trade-off: this workaround completely disables extension installation capabilities for all users, including administrators, which may impact legitimate workflow requirements. Verify read-only mode is active through the GUI (settings icon should display lock indication). Note that configuring a PyPI proxy with allow-listed packages is explicitly NOT sufficient to mitigate this vulnerability due to the server-side validation bypass. For multi-tenant deployments, review and apply security hardening guidance from https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-20 – Improper Input Validation
View allSame technique Privilege Escalation
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-37w4-hwhx-4rc4