Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to version 5.4.4, an open redirect vulnerability in JupyterHub allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. This issue has been patched in version 5.4.4.
AnalysisAI
Open redirect vulnerability in JupyterHub prior to version 5.4.4 allows unauthenticated remote attackers to craft malicious links that bypass JupyterHub's redirect validation, redirecting users through the legitimate login page to arbitrary attacker-controlled sites. This enables phishing attacks and credential harvesting by leveraging JupyterHub's trusted domain to establish credibility. The vulnerability requires user interaction (clicking a link) and has been patched in version 5.4.4.
Technical ContextAI
JupyterHub implements URL redirect validation to prevent open redirect attacks (CWE-601), a common vulnerability class in web applications where user-supplied input controls redirect destinations without proper validation. The root cause is insufficient validation of the redirect parameter after login, allowing attackers to bypass the existing check by constructing specially crafted URLs. This vulnerability affects the authentication flow in JupyterHub's multi-user server architecture, where users are redirected after login. The CVSS vector indicates the attack requires network access (AV:N) with low complexity (AC:L) and no privileges (PR:N), but mandates user interaction (UI:A), suggesting the attacker must trick a user into clicking a malicious link.
RemediationAI
Vendor-released patch: upgrade JupyterHub to version 5.4.4 or later. This version includes the fix for the open redirect validation bypass. Organizations unable to upgrade immediately should consider implementing network-level controls to restrict login page access to trusted networks, or deploy a Web Application Firewall (WAF) rule to detect and block redirect parameters containing external domains. The patch is available via the official GitHub release at https://github.com/jupyterhub/jupyterhub/releases/tag/5.4.4 and through standard Python package management (pip install --upgrade jupyterhub>=5.4.4). Review the security advisory at https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8 for comprehensive implementation guidance.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18880
GHSA-3vff-hjqv-m7h8