Skip to main content

JupyterLab CVE-2026-42557

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-06 https://github.com/jupyterlab/jupyterlab GHSA-mqcg-5x36-vfcg
8.6
CVSS 4.0 · Vendor: https://github.com/jupyterlab/jupyterlab
Share

Severity by source

Vendor (https://github.com/jupyterlab/jupyterlab) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (https://github.com/jupyterlab/jupyterlab).

CVSS VectorVendor: https://github.com/jupyterlab/jupyterlab

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
May 13, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 16:22 NVD
8.6 (HIGH)
Source Code Evidence Fetched
May 06, 2026 - 22:39 vuln.today
Analysis Generated
May 06, 2026 - 22:39 vuln.today
CVE Published
May 06, 2026 - 21:43 nvd
HIGH

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 pypi packages depend on jupyterlab (2 direct, 6 indirect)
  • 2 pypi packages depend on notebook (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.5.7 and other introduced versions.

DescriptionCVE.org

JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user.

Impact

An attacker who shares a notebook or a Markdown file - via email, GitHub, or a Binder link - can invoke an arbitrary command upon a single click by the victim. The button can be rendered inside the output area and be visually indistinguishable from a legitimate widget. No kernel needs to start; the HTML output is stored in the notebook file and displayed immediately on open.

Single-click impact

An attacker convincing the victim to click on a single button or link can:

  • execute arbitrary code in the available kernels,
  • delete files leading to information loss; in principle the loss could be unrecoverable, depending on server configuration and attack complexity,
  • open multiple kernels/terminals at once, or create multiple files at once, putting significant stress on the server and thus deny availability for other users when using standalone multi-tenant jupyter-server deployment, and to a lesser degree impact availability on JupyterHub deployments.

The arbitrary code execution will be immediately visible to the user; and can be halted by the timely user intervention. The deletion of files can be silent and go unnoticed for some time.

Multi-click attacks

An attacker who convinces the victim to click on multiple buttons in specific order and to grant access to clipboard (or in scenarios where the user already granted keyboard access) can obtain full access to the terminal and execute arbitrary commands in the environment with access scope that might exceed that of available kernels. Only users of Chromium-based browsers are susceptible to this expanded variant of the attack.

The execution of commands in the terminal would be immediately visible to the user.

Impact of third-party extensions

The impact described above assumes a plain JupyterLab/Notebook installation. In environments with frontend extensions that contribute additional commands the attack surface is increased by the functionality covered by these commands.

Patches

JupyterLab 4.5.7

Workarounds

No workarounds are available for end-users.

Downstream applications inheriting from JupyterFrontEnd or JupyterLab can effectively disable the CommandLinker by passing commandLinker: new CommandLinker({ commands: new CommandRegistry() }) option in the initialization options.

Hardening

The patched versions include a toggle to disable the command linker functionality altogether, for example via overrides.json:

json
{
  "@jupyterlab/apputils-extension:sanitizer": {
    "allowCommandLinker": false
  }
}

Resources

  • https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-files

AnalysisAI

JupyterLab's CommandLinker executes arbitrary commands via single-click social engineering when users open malicious notebooks shared through email, GitHub, or Binder links. Attackers embed deceptive HTML buttons with allowlisted data-commandlinker-* attributes in pre-saved notebook output cells to trigger commands without code execution submission, enabling immediate arbitrary code execution in available kernels, silent file deletion, or resource exhaustion in multi-tenant deployments. The patched version 4.5.7 was released by the JupyterLab team through GitHub advisory GHSA-mqcg-5x36-vfcg. Chromium browser users face expanded terminal access risk through multi-click clipboard permission abuse. Third-party JupyterLab extensions increase attack surface by exposing additional commands to exploitation.

Technical ContextAI

JupyterLab's CommandLinker component registers a global click event listener on document.body to process data-commandlinker-command and data-commandlinker-args attributes on button elements, enabling legitimate in-app command invocation from documentation and UI. The HTML sanitizer incorrectly allowlists these attributes on user-controlled content rendered from notebook output cells and Markdown files without origin validation. This creates a DOM-based command injection vector classified under CWE-79 (Cross-site Scripting), though the impact extends beyond traditional XSS to arbitrary command execution within the JupyterLab runtime environment. The vulnerability affects pkg:pip/jupyterlab (all versions through 4.5.6) and pkg:pip/notebook (versions 7.0.0 through 7.5.5), which share the underlying frontend architecture. Unlike typical stored XSS requiring server-side persistence, malicious payloads are embedded directly in .ipynb JSON files distributed through version control, email attachments, or public notebook repositories, executing immediately upon file open without kernel initialization.

RemediationAI

Upgrade to JupyterLab 4.5.7 or Jupyter Notebook 7.5.6 as released by the vendor through GitHub advisory GHSA-mqcg-5x36-vfcg. For environments requiring immediate mitigation before patching, disable CommandLinker functionality by adding overrides.json configuration: {"@jupyterlab/apputils-extension:sanitizer": {"allowCommandLinker": false}} in the JupyterLab settings directory, though this breaks legitimate command linker features in documentation and Markdown files. Downstream application developers can disable the vulnerable component by passing commandLinker: new CommandLinker({ commands: new CommandRegistry() }) in JupyterFrontEnd initialization options. After patching, consider enabling the allowCommandLinker: false hardening toggle as defense-in-depth if command linker functionality is not actively used in your deployment. Organizations should audit existing notebook repositories for suspicious HTML button elements containing data-commandlinker-command attributes and review recent file deletion activity for potential silent exploitation. Multi-tenant deployments should prioritize patching due to resource exhaustion and cross-user availability impact. No effective end-user workarounds exist beyond avoiding opening notebooks from untrusted sources.

Vendor StatusVendor

SUSE

Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-42557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy