Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42266

CVE-2026-42266: JupyterLab Auth Bypass Vulnerability

CVE-2026-42266 is an authentication bypass flaw in JupyterLab versions 4.0.0 to 4.5.6 that allows unauthorized extension installations. This post covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-42266 Overview

CVE-2026-42266 is a high-severity vulnerability in JupyterLab, the web-based interactive development environment for notebooks, code, and data. The flaw affects versions 4.0.0 through 4.5.6 and is fixed in 4.5.7. The allowed_extensions_uris allow-list, intended to restrict which extensions administrators permit users to install through the PyPI Extension Manager, is not correctly enforced. The PyPI Extension Manager was not contained to packages listed on the default PyPI index, allowing installation of arbitrary packages outside the configured allow-list. The vulnerability is tracked under CWE-88: Improper Neutralization of Argument Delimiters in a Command.

Critical Impact

An authenticated low-privileged user can install arbitrary Python packages into the JupyterLab environment, bypassing administrative allow-list controls and achieving code execution within the notebook server context.

Affected Products

  • JupyterLab 4.0.0 through 4.5.6
  • Deployments configured with allowed_extensions_uris to restrict extension installation
  • JupyterHub and multi-user Jupyter environments using JupyterLab in this version range

Discovery Timeline

  • 2026-05-13 - CVE-2026-42266 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42266

Vulnerability Analysis

JupyterLab provides a PyPI Extension Manager that lets users discover and install extensions hosted on the Python Package Index. Administrators can restrict the set of installable extensions using the allowed_extensions_uris configuration option, which defines an allow-list of trusted extension sources. This control is a security boundary in multi-tenant deployments such as JupyterHub.

The vulnerability arises because JupyterLab does not correctly enforce this allow-list during package installation requests. The Extension Manager accepts package identifiers that resolve against the default PyPI index regardless of whether the corresponding entry exists in allowed_extensions_uris. An authenticated user with access to the Extension Manager can therefore install any package available on PyPI, including malicious typosquatted or attacker-controlled packages.

Because Python packages execute setup logic during installation and extensions run within the JupyterLab server process, successful installation translates directly into code execution in the user's notebook server. In shared environments this can lead to data exfiltration from other notebooks, credential theft, and lateral movement.

Root Cause

The root cause is incomplete validation in the Extension Manager backend. The allow-list check does not cover the code path that resolves package names against the default PyPI index, so the restriction can be bypassed by requesting installation of packages outside the configured URIs.

Attack Vector

The attack requires network access to the JupyterLab server and low-level authenticated access. No user interaction is needed beyond the attacker's own session. After authenticating, the attacker invokes the PyPI Extension Manager and supplies a package name that is not present in the administrator's allow-list. JupyterLab fetches and installs the package, executing arbitrary code under the notebook server account.

For exploitation details, see the JupyterLab GitHub Security Advisory GHSA-37w4-hwhx-4rc4.

Detection Methods for CVE-2026-42266

Indicators of Compromise

  • Unexpected pip install invocations spawned by the jupyter-lab or jupyter-server process
  • New Python packages appearing in the JupyterLab environment that are not listed in allowed_extensions_uris
  • Outbound HTTPS connections from notebook servers to pypi.org or files.pythonhosted.org outside normal maintenance windows
  • New or modified files under the user's site-packages directory following Extension Manager activity

Detection Strategies

  • Audit JupyterLab server logs for POST requests to /lab/api/extensions and correlate the requested package names against the configured allow-list
  • Monitor process creation events where jupyter-lab or its child Python interpreter executes pip install with arguments referencing non-approved packages
  • Inventory installed Python packages on JupyterLab hosts and diff against the approved baseline on a scheduled basis

Monitoring Recommendations

  • Enable verbose logging on the JupyterLab server and forward logs to a centralized SIEM for retention and correlation
  • Alert on any child process of the notebook server that performs package installation or network egress to package registries
  • Track version strings reported by jupyter lab --version across the fleet to identify hosts still running vulnerable releases between 4.0.0 and 4.5.6

How to Mitigate CVE-2026-42266

Immediate Actions Required

  • Upgrade JupyterLab to version 4.5.7 or later on every affected host
  • Disable the PyPI Extension Manager in shared and multi-tenant deployments until the upgrade is complete
  • Rotate any credentials, tokens, or API keys that were accessible to notebook server processes during the exposure window
  • Review installed Python packages on affected systems and remove any package not present in the administrator-approved list

Patch Information

The vulnerability is fixed in JupyterLab 4.5.7. Install the patched release using pip install --upgrade jupyterlab==4.5.7 and restart the JupyterLab service. Detailed fix information is published in the JupyterLab GitHub Security Advisory GHSA-37w4-hwhx-4rc4.

Workarounds

  • Set the JupyterLab configuration option extension_manager to readonly or disable the Extension Manager UI for non-administrative users
  • Run JupyterLab in an environment without network access to PyPI, preventing the Extension Manager from resolving external packages
  • Use container immutability or read-only file systems so that Extension Manager installs cannot persist new packages
  • Restrict outbound network egress from notebook servers to an internal package mirror containing only approved extensions
bash
# Configuration example: upgrade and disable the Extension Manager UI
pip install --upgrade 'jupyterlab>=4.5.7'

# jupyter_server_config.py
c.LabApp.extensions_in_dev_mode = False
c.LabServerApp.blocked_extensions = ['*']
c.ExtensionManager.enabled = False

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne