CVE-2026-40171 Overview
CVE-2026-40171 is a stored cross-site scripting (XSS) vulnerability [CWE-79] affecting Jupyter Notebook and JupyterLab. The flaw resides in the help command linker of the @jupyter-notebook/help-extension and @jupyterlab/help-extension packages. Attackers can chain the issue with attacker-controlled notebook content to steal authentication tokens with a single click.
The vulnerability impacts Jupyter Notebook versions 7.0.0 through 7.5.5 and JupyterLab versions 4.5.6 and earlier. Successful exploitation grants full session takeover through the REST API, including arbitrary code execution via kernels and shell access through terminals.
Critical Impact
A single click on a crafted notebook element exposes authentication tokens, allowing attackers to read or modify files, execute arbitrary code in kernels, and open terminal shells.
Affected Products
- Jupyter Notebook 7.0.0 through 7.5.5
- JupyterLab 4.5.6 and earlier
- @jupyter-notebook/help-extension before 7.5.6 and @jupyterlab/help-extension before 4.5.7
Discovery Timeline
- 2026-05-06 - CVE-2026-40171 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-40171
Vulnerability Analysis
The issue is a stored XSS flaw in the help command linker used by the Jupyter help extensions. The linker renders attacker-controlled content from notebook files without adequate sanitization. When a user opens a malicious .ipynb file, the rendered elements appear visually indistinguishable from legitimate Jupyter UI controls.
A single user click triggers JavaScript execution within the authenticated Jupyter session context. The attacker-supplied script then exfiltrates the user's authentication token. With that token, the adversary interacts with the Jupyter REST API as the victim.
Post-exploitation capabilities include reading and writing arbitrary files, attaching to existing kernels to run code, spawning new kernels, and creating terminal sessions for shell access on the host running the Jupyter server.
Root Cause
The commandlinker sanitizer logic permits attacker-controlled command parameters that can be rendered as interactive elements. The configuration option allowCommandLinker defaults to a permissive state, enabling notebook content to register click handlers that invoke privileged commands within the Jupyter front end.
Attack Vector
Exploitation requires the attacker to deliver a malicious notebook file to the victim. Distribution channels include shared repositories, email attachments, collaborative platforms, or compromised data science workflows. The user must open the notebook in a vulnerable Jupyter Notebook or JupyterLab instance and click the crafted element. Authentication is required on the victim side, and user interaction is mandatory, but no privileges are needed by the attacker on the target system.
The vulnerability mechanism is documented in the GitHub Security Advisory GHSA-rch3-82jr-f9w9. No public exploit code is currently available.
Detection Methods for CVE-2026-40171
Indicators of Compromise
- Notebook files containing markdown or output cells with command: URI schemes referencing help extension commands
- Unexpected outbound HTTPS requests from browsers immediately following the opening of an .ipynb file, particularly carrying token query parameters or Authorization headers
- Jupyter server access logs showing REST API calls from unfamiliar IP addresses using a valid token shortly after notebook interaction
- New kernel or terminal sessions created without corresponding interactive user activity in the front end
Detection Strategies
- Inspect notebook JSON for embedded HTML or markdown content invoking command linker URIs that reference help extension actions
- Monitor Jupyter server logs (jupyter_server.log) for /api/kernels, /api/terminals, and /api/contents calls that deviate from baseline user behavior
- Audit installed package versions of @jupyter-notebook/help-extension and @jupyterlab/help-extension across developer endpoints
Monitoring Recommendations
- Forward Jupyter server access and authentication logs to a centralized logging platform for correlation with endpoint and network telemetry
- Alert on token usage from IP addresses that differ from the originating user session
- Track creation of terminal sessions on Jupyter hosts and correlate with shell process activity
How to Mitigate CVE-2026-40171
Immediate Actions Required
- Upgrade Jupyter Notebook to version 7.5.6 or later
- Upgrade JupyterLab to version 4.5.7 or later
- Update @jupyter-notebook/help-extension to 7.5.6 and @jupyterlab/help-extension to 4.5.7
- Rotate Jupyter authentication tokens after patching to invalidate any tokens that may have been exposed
Patch Information
The maintainers released fixes in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension7.5.6, and @jupyterlab/help-extension4.5.7. Patch details are available in the GitHub Security Advisory GHSA-rch3-82jr-f9w9.
Workarounds
- Disable the affected help extensions using jupyter labextension disable @jupyterlab/help-extension and the equivalent command for the notebook help extension
- Set allowCommandLinker to false in the sanitizer configuration to block command linker rendering
- Restrict notebook file sharing to trusted sources until the upgrade is deployed
# Configuration example
# Disable the affected help extensions
jupyter labextension disable @jupyterlab/help-extension
jupyter labextension disable @jupyter-notebook/help-extension
# Alternatively, set allowCommandLinker to false in the sanitizer config
# In jupyter_server_config.py:
c.LabApp.tornado_settings = {
"sanitizer": {
"allowCommandLinker": False
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
