CVE-2026-40864 – JupyterHub: Cross-origin form POSTs bypass XSRF

CVE ID :CVE-2026-40864

Published : May 22, 2026, 8:13 p.m. | 44 minutes ago

Description :JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker’s server. This issue has been fixed in version 5.4.5. If developers are unable to immediately upgrade, they can temporarily mitigate this issue by dropping requests to JupyterHub with Sec-Fetch-Mode: no-cors if they are using a reverse proxy.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-40610 – BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context

CVE-2026-39824 – Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

CVE-2026-40607 – MantisBT is Vulnerable to Stored XSS Through its Saved-Filter Owner Column

CVE-2026-40598 – MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page