CVE-2026-40110: Jupyter Server Auth Bypass Vulnerability

CVE-2026-40110 Overview

CVE-2026-40110 is a Cross-Origin Resource Sharing (CORS) origin validation bypass in Jupyter Server, the backend that powers Jupyter web applications. Versions 2.17.0 and earlier validate the Origin header using Python's re.match() against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string, an origin like trusted.example.com.evil.com matches a pattern intended for trusted.example.com. An attacker controlling such a lookalike domain can issue cross-origin requests against the Jupyter Server API from an untrusted site. The issue is fixed in version 2.18.0 and tracked under [CWE-777].

Critical Impact
Successful exploitation lets an attacker-controlled origin bypass CORS restrictions and interact with the Jupyter Server API, exposing notebook content and execution capabilities to cross-site requests.

Affected Products

Jupyter Server versions 2.17.0 and earlier
Jupyter web applications relying on allow_origin_pat for CORS enforcement
Deployments using regex-based origin allow-listing in jupyter_server.base.handlers

Discovery Timeline

2026-05-05 - CVE-2026-40110 published to NVD
2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-40110

Vulnerability Analysis

Jupyter Server uses allow_origin_pat, a regular expression, to decide which cross-origin requests are permitted. The pre-patch implementation passed this pattern to re.match(), which only requires a match at the beginning of the input string. As a result, any origin whose prefix matches the configured pattern is accepted, regardless of trailing characters. An operator who configures allow_origin_pat = r"trusted\.example\.com" to permit only that host inadvertently also permits trusted.example.com.attacker.tld, trusted.example.com.evil.com, or any other suffix-extended domain an adversary can register. The flaw is classified under [CWE-777] (Regular Expression without Anchors).

Root Cause

The root cause is the difference between re.match() and re.fullmatch() in Python's standard library. re.match() anchors only at the start of the string; it does not validate that the pattern consumes the entire input. CORS origin checks require full-string equivalence to be safe. Using a non-anchored match against attacker-controlled input collapses the trust boundary the configuration was meant to enforce.

Attack Vector

The attack is network-based and requires user interaction. An attacker registers a domain whose name begins with a string that satisfies the victim's allow_origin_pat regex. The attacker hosts a malicious page and entices an authenticated Jupyter user to visit it. The page issues cross-origin requests to the user's Jupyter Server. The server's CORS check accepts the spoofed Origin header, returning sensitive data and allowing API operations that would otherwise be blocked.

python

# Pre-patch (vulnerable) check in jupyter_server/base/handlers.py
if self.allow_origin:
    allow = self.allow_origin == origin
elif self.allow_origin_pat:
    allow = bool(re.match(self.allow_origin_pat, origin))

# Post-patch fix introduced in version 2.18.0
def _origin_matches_pat(self, origin: str) -> bool:
    if not self.allow_origin_pat:
        return False
    if re.fullmatch(self.allow_origin_pat, origin):
        return True
    if re.match(self.allow_origin_pat, origin):
        warnings.warn(
            f"allow_origin_pat {self.allow_origin_pat!r} only matched the request origin as a prefix. "
            "This has been replaced with a full string match. "
            "Update your pattern if you need to prefix-match the origin (e.g. append '.*')",
            UserWarning,
            stacklevel=2,
        )
    return False

Source: jupyter-server commit 057869a

Detection Methods for CVE-2026-40110

Indicators of Compromise

HTTP requests to Jupyter Server endpoints carrying an Origin header that begins with a trusted domain but contains additional trailing labels (for example, trusted.example.com.evil.com).
Outbound responses with Access-Control-Allow-Origin echoing unexpected suffix-extended domains.
Authenticated Jupyter API calls (/api/contents, /api/sessions, /api/kernels) initiated from referrers outside the deployment's known browser origins.

Detection Strategies

Inspect access logs for Origin header values that include a trusted hostname followed by an additional . and label, then verify against the registered allow_origin_pat.
Replay logged origins through re.fullmatch() to identify entries that match re.match() but fail re.fullmatch(). These represent prior bypass attempts.
Correlate authenticated session activity with browser origins; flag kernel execution requests originating from domains not present in the operator's allow-list.

Monitoring Recommendations

Alert on responses where Access-Control-Allow-Origin is set to a value other than the canonical trusted domains.
Monitor for newly registered lookalike domains that share a prefix with internal Jupyter hostnames.
Capture Jupyter Server warning logs for the new UserWarning emitted by _origin_matches_pat after upgrading; these identify misconfigured patterns that previously allowed bypasses.

How to Mitigate CVE-2026-40110

Immediate Actions Required

Upgrade Jupyter Server to version 2.18.0 or later, which replaces re.match() with re.fullmatch() for origin validation.
Audit existing allow_origin_pat configuration values and ensure each pattern fully describes the allowed origin, including the scheme and end-of-string anchor.
Restrict Jupyter Server network exposure so that only trusted browser origins can reach the API while patches are rolled out.

Patch Information

The fix is delivered in Jupyter Server 2.18.0 via GitHub Pull Request 603 and commits 057869a and 49b3439. The patch introduces an origin_matches_pat utility, applies it across HTTP and websocket handlers, and emits a UserWarning when an existing pattern only matched as a prefix. See the GitHub Security Advisory GHSA-24qx-w28j-9m6p for the full advisory.

Workarounds

Set allow_origin to the exact trusted origin string instead of using allow_origin_pat, which forces a literal equality check.
If allow_origin_pat is required, anchor patterns explicitly using \Z or $ (for example, r"https://trusted\.example\.com\Z") to prevent suffix-extension matches.
Place Jupyter Server behind a reverse proxy that strips or validates the Origin header before requests reach the application.

bash

# Upgrade Jupyter Server to the patched release
pip install --upgrade "jupyter_server>=2.18.0"

# Verify the installed version
python -c "import jupyter_server; print(jupyter_server.__version__)"

# Example of a safely anchored allow_origin_pat in jupyter_server_config.py
# c.ServerApp.allow_origin_pat = r"https://([a-z0-9-]+\.)?trusted\.example\.com\Z"

CVE-2026-40110 Overview

Critical Impact
Successful exploitation lets an attacker-controlled origin bypass CORS restrictions and interact with the Jupyter Server API, exposing notebook content and execution capabilities to cross-site requests.

Affected Products

Jupyter Server versions 2.17.0 and earlier
Jupyter web applications relying on allow_origin_pat for CORS enforcement
Deployments using regex-based origin allow-listing in jupyter_server.base.handlers

Discovery Timeline

2026-05-05 - CVE-2026-40110 published to NVD
2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-40110

Vulnerability Analysis

Root Cause

Attack Vector

python

# Pre-patch (vulnerable) check in jupyter_server/base/handlers.py
if self.allow_origin:
    allow = self.allow_origin == origin
elif self.allow_origin_pat:
    allow = bool(re.match(self.allow_origin_pat, origin))

# Post-patch fix introduced in version 2.18.0
def _origin_matches_pat(self, origin: str) -> bool:
    if not self.allow_origin_pat:
        return False
    if re.fullmatch(self.allow_origin_pat, origin):
        return True
    if re.match(self.allow_origin_pat, origin):
        warnings.warn(
            f"allow_origin_pat {self.allow_origin_pat!r} only matched the request origin as a prefix. "
            "This has been replaced with a full string match. "
            "Update your pattern if you need to prefix-match the origin (e.g. append '.*')",
            UserWarning,
            stacklevel=2,
        )
    return False

Source: jupyter-server commit 057869a

Detection Methods for CVE-2026-40110

Indicators of Compromise

HTTP requests to Jupyter Server endpoints carrying an Origin header that begins with a trusted domain but contains additional trailing labels (for example, trusted.example.com.evil.com).
Outbound responses with Access-Control-Allow-Origin echoing unexpected suffix-extended domains.
Authenticated Jupyter API calls (/api/contents, /api/sessions, /api/kernels) initiated from referrers outside the deployment's known browser origins.

Detection Strategies

Inspect access logs for Origin header values that include a trusted hostname followed by an additional . and label, then verify against the registered allow_origin_pat.
Replay logged origins through re.fullmatch() to identify entries that match re.match() but fail re.fullmatch(). These represent prior bypass attempts.
Correlate authenticated session activity with browser origins; flag kernel execution requests originating from domains not present in the operator's allow-list.

Monitoring Recommendations

Alert on responses where Access-Control-Allow-Origin is set to a value other than the canonical trusted domains.
Monitor for newly registered lookalike domains that share a prefix with internal Jupyter hostnames.
Capture Jupyter Server warning logs for the new UserWarning emitted by _origin_matches_pat after upgrading; these identify misconfigured patterns that previously allowed bypasses.

How to Mitigate CVE-2026-40110

Immediate Actions Required

Upgrade Jupyter Server to version 2.18.0 or later, which replaces re.match() with re.fullmatch() for origin validation.
Audit existing allow_origin_pat configuration values and ensure each pattern fully describes the allowed origin, including the scheme and end-of-string anchor.
Restrict Jupyter Server network exposure so that only trusted browser origins can reach the API while patches are rolled out.

Patch Information

Workarounds

Set allow_origin to the exact trusted origin string instead of using allow_origin_pat, which forces a literal equality check.
If allow_origin_pat is required, anchor patterns explicitly using \Z or $ (for example, r"https://trusted\.example\.com\Z") to prevent suffix-extension matches.
Place Jupyter Server behind a reverse proxy that strips or validates the Origin header before requests reach the application.

bash

# Upgrade Jupyter Server to the patched release
pip install --upgrade "jupyter_server>=2.18.0"

# Verify the installed version
python -c "import jupyter_server; print(jupyter_server.__version__)"

# Example of a safely anchored allow_origin_pat in jupyter_server_config.py
# c.ServerApp.allow_origin_pat = r"https://([a-z0-9-]+\.)?trusted\.example\.com\Z"

CVE-2026-40110: Jupyter Server Auth Bypass Vulnerability

CVE-2026-40110 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40110

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40110

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40110

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-40110: Jupyter Server Auth Bypass Vulnerability

CVE-2026-40110 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40110

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40110

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40110

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform