Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42557

CVE-2026-42557: JupyterLab RCE Vulnerability

CVE-2026-42557 is a remote code execution vulnerability in JupyterLab that allows attackers to execute arbitrary code via malicious HTML buttons. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-42557 Overview

CVE-2026-42557 is a Cross-Site Scripting [CWE-79] vulnerability in JupyterLab, an extensible environment for interactive and reproducible computing based on the Jupyter Notebook architecture. The flaw exists in versions prior to 4.5.7. JupyterLab's HTML sanitizer allowlists the data-commandlinker-command and data-commandlinker-args attributes on button elements. The CommandLinker component listens for all click events on document.body and executes the named command without verifying that the element originated from trusted JupyterLab UI. A notebook containing a pre-saved HTML cell output with a deceptive button can trigger arbitrary JupyterLab commands, including arbitrary code execution, on a single user click.

Critical Impact

A single click on a malicious button rendered in notebook output can execute arbitrary JupyterLab commands and code in the user's session, with no code submission required by the user.

Affected Products

  • JupyterLab versions prior to 4.5.7
  • Notebooks containing untrusted HTML cell outputs rendered by affected JupyterLab versions
  • Environments distributing or sharing pre-saved Jupyter notebooks from untrusted sources

Discovery Timeline

  • 2026-05-13 - CVE-2026-42557 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42557

Vulnerability Analysis

The vulnerability stems from an unsafe interaction between JupyterLab's HTML sanitizer and its CommandLinker component. The sanitizer permits the data-commandlinker-command and data-commandlinker-args attributes on button elements within rendered HTML output. The CommandLinker registers a global click handler on document.body and dispatches the named command from any element carrying these attributes. The handler does not validate whether the click originated from a trusted JupyterLab UI surface or from sanitized notebook output. Attackers can place a button in HTML cell output that invokes privileged commands such as code execution, file operations, or extension management. Refer to the GitHub Security Advisory GHSA-mqcg-5x36-vfcg for vendor technical details.

Root Cause

The sanitizer allowlist treats data-commandlinker-* attributes as safe presentation metadata. The CommandLinker treats any element carrying those attributes as an authorized command source. Neither component enforces a trust boundary between JupyterLab's chrome and untrusted rendered content.

Attack Vector

An attacker crafts a notebook with an HTML cell output containing a button styled to appear benign. When a victim opens the notebook in a vulnerable JupyterLab version and clicks the button, the CommandLinker executes the embedded command. Commands available through this interface can include arbitrary code execution in the kernel context. Delivery occurs through any channel that distributes notebooks, including shared repositories, email attachments, or collaborative platforms.

No verified proof-of-concept code is published. See the GitHub Security Advisory for additional technical context.

Detection Methods for CVE-2026-42557

Indicators of Compromise

  • Notebook .ipynb files containing HTML cell outputs with <button> elements carrying data-commandlinker-command or data-commandlinker-args attributes
  • Unexpected kernel process spawns or shell command execution following a user click in JupyterLab
  • Notebooks sourced from untrusted repositories, email, or shared drives that render interactive button elements in saved outputs

Detection Strategies

  • Scan stored .ipynb files for HTML outputs containing data-commandlinker-command attributes prior to opening
  • Inventory JupyterLab installations and flag instances running versions below 4.5.7
  • Monitor Jupyter kernel processes for unexpected child processes following notebook interaction

Monitoring Recommendations

  • Log and review notebook file ingestion from external sources, including Git pulls and downloaded archives
  • Correlate JupyterLab process telemetry with user click events to identify command execution outside expected workflows
  • Enable endpoint telemetry on workstations running Jupyter to capture process lineage from jupyter-lab and kernel processes

How to Mitigate CVE-2026-42557

Immediate Actions Required

  • Upgrade JupyterLab to version 4.5.7 or later on all user workstations and shared servers
  • Audit recently opened notebooks from untrusted sources for embedded data-commandlinker-* attributes
  • Restrict the distribution of notebooks to vetted internal repositories until upgrades are complete

Patch Information

The vulnerability is fixed in JupyterLab 4.5.7. The patched release removes the unsafe allowlisting and enforces a trust boundary in the CommandLinker click handler. Patch details and release notes are available in the GitHub Security Advisory GHSA-mqcg-5x36-vfcg.

Workarounds

  • Do not open untrusted notebooks in JupyterLab versions prior to 4.5.7
  • Disable or avoid using HTML cell outputs from notebooks of unknown provenance
  • Use the Jupyter trust model deliberately: clear outputs of untrusted notebooks before opening with jupyter trust --reset
bash
# Upgrade JupyterLab to the patched version
pip install --upgrade "jupyterlab>=4.5.7"

# Verify the installed version
jupyter lab --version

# Clear outputs from an untrusted notebook before opening
jupyter nbconvert --clear-output --inplace untrusted_notebook.ipynb

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne