JupyterLab CVE-2026-42557
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/jupyterlab/jupyterlab).
CVSS VectorVendor: https://github.com/jupyterlab/jupyterlab
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Blast Radius
ecosystem impact- 8 pypi packages depend on jupyterlab (2 direct, 6 indirect)
- 2 pypi packages depend on notebook (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.5.7 and other introduced versions.
DescriptionCVE.org
JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user.
Impact
An attacker who shares a notebook or a Markdown file - via email, GitHub, or a Binder link - can invoke an arbitrary command upon a single click by the victim. The button can be rendered inside the output area and be visually indistinguishable from a legitimate widget. No kernel needs to start; the HTML output is stored in the notebook file and displayed immediately on open.
Single-click impact
An attacker convincing the victim to click on a single button or link can:
- execute arbitrary code in the available kernels,
- delete files leading to information loss; in principle the loss could be unrecoverable, depending on server configuration and attack complexity,
- open multiple kernels/terminals at once, or create multiple files at once, putting significant stress on the server and thus deny availability for other users when using standalone multi-tenant jupyter-server deployment, and to a lesser degree impact availability on JupyterHub deployments.
The arbitrary code execution will be immediately visible to the user; and can be halted by the timely user intervention. The deletion of files can be silent and go unnoticed for some time.
Multi-click attacks
An attacker who convinces the victim to click on multiple buttons in specific order and to grant access to clipboard (or in scenarios where the user already granted keyboard access) can obtain full access to the terminal and execute arbitrary commands in the environment with access scope that might exceed that of available kernels. Only users of Chromium-based browsers are susceptible to this expanded variant of the attack.
The execution of commands in the terminal would be immediately visible to the user.
Impact of third-party extensions
The impact described above assumes a plain JupyterLab/Notebook installation. In environments with frontend extensions that contribute additional commands the attack surface is increased by the functionality covered by these commands.
Patches
JupyterLab 4.5.7
Workarounds
No workarounds are available for end-users.
Downstream applications inheriting from JupyterFrontEnd or JupyterLab can effectively disable the CommandLinker by passing commandLinker: new CommandLinker({ commands: new CommandRegistry() }) option in the initialization options.
Hardening
The patched versions include a toggle to disable the command linker functionality altogether, for example via overrides.json:
{
"@jupyterlab/apputils-extension:sanitizer": {
"allowCommandLinker": false
}
}Resources
- https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-files
AnalysisAI
JupyterLab's CommandLinker executes arbitrary commands via single-click social engineering when users open malicious notebooks shared through email, GitHub, or Binder links. Attackers embed deceptive HTML buttons with allowlisted data-commandlinker-* attributes in pre-saved notebook output cells to trigger commands without code execution submission, enabling immediate arbitrary code execution in available kernels, silent file deletion, or resource exhaustion in multi-tenant deployments. The patched version 4.5.7 was released by the JupyterLab team through GitHub advisory GHSA-mqcg-5x36-vfcg. Chromium browser users face expanded terminal access risk through multi-click clipboard permission abuse. Third-party JupyterLab extensions increase attack surface by exposing additional commands to exploitation.
Technical ContextAI
JupyterLab's CommandLinker component registers a global click event listener on document.body to process data-commandlinker-command and data-commandlinker-args attributes on button elements, enabling legitimate in-app command invocation from documentation and UI. The HTML sanitizer incorrectly allowlists these attributes on user-controlled content rendered from notebook output cells and Markdown files without origin validation. This creates a DOM-based command injection vector classified under CWE-79 (Cross-site Scripting), though the impact extends beyond traditional XSS to arbitrary command execution within the JupyterLab runtime environment. The vulnerability affects pkg:pip/jupyterlab (all versions through 4.5.6) and pkg:pip/notebook (versions 7.0.0 through 7.5.5), which share the underlying frontend architecture. Unlike typical stored XSS requiring server-side persistence, malicious payloads are embedded directly in .ipynb JSON files distributed through version control, email attachments, or public notebook repositories, executing immediately upon file open without kernel initialization.
RemediationAI
Upgrade to JupyterLab 4.5.7 or Jupyter Notebook 7.5.6 as released by the vendor through GitHub advisory GHSA-mqcg-5x36-vfcg. For environments requiring immediate mitigation before patching, disable CommandLinker functionality by adding overrides.json configuration: {"@jupyterlab/apputils-extension:sanitizer": {"allowCommandLinker": false}} in the JupyterLab settings directory, though this breaks legitimate command linker features in documentation and Markdown files. Downstream application developers can disable the vulnerable component by passing commandLinker: new CommandLinker({ commands: new CommandRegistry() }) in JupyterFrontEnd initialization options. After patching, consider enabling the allowCommandLinker: false hardening toggle as defense-in-depth if command linker functionality is not actively used in your deployment. Organizations should audit existing notebook repositories for suspicious HTML button elements containing data-commandlinker-command attributes and review recent file deletion activity for potential silent exploitation. Multi-tenant deployments should prioritize patching due to resource exhaustion and cross-user availability impact. No effective end-user workarounds exist beyond avoiding opening notebooks from untrusted sources.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mqcg-5x36-vfcg