Skip to main content

Jupyter Server EUVDEUVD-2026-27513

| CVE-2026-40934 HIGH
Insufficient Session Expiration (CWE-613)
2026-05-05 https://github.com/jupyter-server/jupyter_server GHSA-5mrq-x3x5-8v8f
7.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.8 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Red Hat
6.8 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
May 05, 2026 - 23:02 EUVD
Re-analysis Queued
May 05, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
May 05, 2026 - 22:22 NVD
MEDIUM HIGH
CVSS changed
May 05, 2026 - 22:22 NVD
6.8 (MEDIUM) 7.6 (HIGH)
Source Code Evidence Fetched
May 05, 2026 - 18:00 vuln.today
Analysis Generated
May 05, 2026 - 18:00 vuln.today

DescriptionGitHub Advisory

Summary

A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes.

The cookie secret used to sign authentication cookies is stored in a permanent file (~/.local/share/jupyter/runtime/jupyter_cookie_secret) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets.

PoC

  • Start a Jupyter server with password authentication: jupyter server password, jupyter server
  • Log in with the password and capture the authentication cookie (e.g., just login with a browser).
  • Change the password to revoke access: jupyter server password
  • Restart the server
  • Use the old stolen cookie => remains valid and provides full authenticated access.

Impact

  • All jupyter-server deployments using password authentication where security incidents may occur
  • Multi-user systems where one user's compromised session should be revocable by administrators
  • Shared or public-facing Jupyter servers where credential rotation is a security requirement
  • Any deployment where password changes are expected to revoke existing sessions

Patches

Jupyter Server 2.18+

Workaround

bash
rm ~/.local/share/jupyter/runtime/jupyter_cookie_secret
# Then restart the server

AnalysisAI

Jupyter Server allows authenticated users to maintain indefinite access even after password changes due to persistent authentication cookie secrets stored in an unrotated file. An attacker who obtains a valid authentication cookie can continue using it to access the server with full privileges regardless of subsequent password resets or server restarts, affecting all Jupyter Server deployments using password authentication.

Technical ContextAI

Jupyter Server uses a cookie secret file located at ~/.local/share/jupyter/runtime/jupyter_cookie_secret to cryptographically sign authentication cookies. This secret is generated once during initial setup and never automatically rotated or invalidated. The root cause is improper session invalidation (CWE-613) - when a user changes their password, the server does not invalidate existing signed cookies or regenerate the signing key. An attacker who captures the cookie can forge or reuse valid authentication tokens because the cryptographic signing material remains constant, allowing indefinite authenticated access regardless of password changes.

RemediationAI

Upgrade Jupyter Server to version 2.18.0 or later, which implements automatic cookie secret rotation and session invalidation on password changes. As an immediate workaround without upgrading, delete the persistent cookie secret file by executing 'rm ~/.local/share/jupyter/runtime/jupyter_cookie_secret' and restart the server; this forces regeneration of the cookie secret and invalidates all previously issued cookies. Note that the workaround requires server restart and will log out all active sessions, so should be deployed during a maintenance window or coordinated with users. For multi-user deployments, administrators should either deploy the patch or establish a policy requiring manual cookie secret deletion whenever passwords are reset or security incidents occur.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-27513 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy