JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
{ "severity": "Medium", "cpes": [ "cpe:2.3:a:jupyter:jupyterhub:1.1.0:-:*:*:*:*:*:*", "cpe:2.3:a:jupyter:jupyterhub:*:*:*:*:*:*:*:*" ] }