Skip to main content

Jupyter Server CVE-2026-44727

| EUVDEUVD-2026-38347 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 https://github.com/jupyter-server/jupyter_server GHSA-fcw5-x6j4-ccmp
9.3
CVSS 4.0 · Vendor: https://github.com/jupyter-server/jupyter_server
Share

Severity by source

Vendor (https://github.com/jupyter-server/jupyter_server) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.0 CRITICAL

Network-reachable handler with low complexity; victim must be authenticated to Jupyter (PR:L) and must navigate to the malicious nbconvert URL (UI:R); kernel RCE crosses a trust boundary so S:C with full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (https://github.com/jupyter-server/jupyter_server).

CVSS VectorVendor: https://github.com/jupyter-server/jupyter_server

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 22, 2026 - 21:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 21:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 21:39 vuln.today
cvss_changed
CVSS changed
Jun 22, 2026 - 21:39 NVD
9.3 (CRITICAL)
Source Code Evidence Fetched
Jun 18, 2026 - 15:52 vuln.today
Analysis Generated
Jun 18, 2026 - 15:52 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4,812 pypi packages depend on jupyter-server (500 direct, 4,393 indirect)

Ecosystem-wide dependent count for version 2.20.0.

DescriptionCVE.org

The nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy.

Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a display_data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE.

Impact

An authenticated victim who navigates to /nbconvert/html/<path> containing attacker-authored output can have their token exfiltrated to another domain because it is executed in the Jupyter origin.

Patches

Fixed in v2.20.0, commit 6cbee8d

Workarounds

For deployments where editing the installed jupyter_server is impractical (containerized builds, read-only images), adding this to jupyter_server_config.py has the same effect as the patch above without touching source files:

import jupyter_server.nbconvert.handlers as _nb

def _csp(self):
    return super(type(self), self).content_security_policy + "; sandbox allow-scripts"

_nb.NbconvertFileHandler.content_security_policy = property(_csp)
_nb.NbconvertPostHandler.content_security_policy = property(_csp)

AnalysisAI

Stored cross-site scripting in jupyter_server's nbconvert HTTP handlers allows a malicious notebook to execute JavaScript in the Jupyter origin, leading to session token theft, full /api/* control, and kernel remote code execution. The NbconvertFileHandler and NbconvertPostHandler render notebook-authored HTML without a CSP sandbox directive, and combined with HTMLExporter's non-sanitizing default, any display_data HTML payload runs with the victim's authority. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft notebook with HTML payload in display_data
Delivery
Place .ipynb in victim-reachable path
Exploit
Lure authenticated user to /nbconvert/html/<path>
Execution
Script runs in Jupyter origin (no sandbox CSP)
Persist
Exfiltrate auth token and call /api/kernels
Impact
Execute arbitrary code via kernel RCE

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a target running jupyter_server <= 2.19.0 with the /nbconvert/html/ or /nbconvert/ POST endpoints reachable (default in JupyterLab, Notebook 7, and JupyterHub user servers), (2) the attacker's ability to place a malicious .ipynb file at a path the victim can browse - via shared filesystem, shared JupyterHub directory, collaboration tool, or social-engineered download - and (3) an authenticated victim user (the description states 'authenticated victim') who navigates to /nbconvert/html/<path> for the malicious notebook, which provides the UI:A requirement in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H yields 9.3 (Critical) and is internally consistent with the description: network-reachable handler, low complexity, an authenticated user (PR:L) must click or navigate to an attacker-crafted notebook path (UI:A), and successful exploitation pivots to full kernel RCE which justifies high VC/VI/VA and the SC/SI/SA scope-change ratings since the kernel process is a separate trust boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker authors a Jupyter notebook whose display_data cell output contains an HTML payload with a script that reads document.cookie and calls /api/sessions or /api/kernels to spawn a kernel and execute shell commands. They share the .ipynb via a shared volume, JupyterHub team folder, Git pull request, or email attachment, then trick a logged-in user into clicking /nbconvert/html/<path-to-notebook>; on render, the script runs in the Jupyter origin, exfiltrates the auth token to an attacker domain, and runs arbitrary Python through the kernel as the victim's OS user. …
Remediation Vendor-released patch: upgrade jupyter_server to 2.20.0 or later (pip install --upgrade 'jupyter-server>=2.20.0'), which adds the 'sandbox allow-scripts' directive to the CSP on /nbconvert/ endpoints by default via the new ServerApp.nbconvert_csp_sandbox setting; the change is in commit 6cbee8d (https://github.com/jupyter-server/jupyter_server/commit/6cbee8d65e71abac851c4492fea987ad080580bd) and documented in advisory GHSA-fcw5-x6j4-ccmp. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Jupyter Server instances and their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy