CVE-2026-21883

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2026-21883

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21883.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-21883

Aliases

GHSA-793v-589g-574v

Published

2026-01-08T02:15:53.950Z

Modified

2026-01-10T06:16:45.205675Z

Severity

4.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.

References

Affected packages

Git / github.com/bokeh/bokeh

Affected ranges

Type: GIT
Repo: https://github.com/bokeh/bokeh
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

cedd113b0e271b439dce768671685cf5f861812e

Affected versions

0.*

0.1.0

0.10.0

0.11.0

0.11.1

0.12.0

0.12.1

0.12.10

0.12.11

0.12.12

0.12.13

0.12.14

0.12.15

0.12.16

0.12.2

0.12.3

0.12.4

0.12.5

0.12.6

0.12.7

0.12.9

0.13.0

0.3.0

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.5.0

0.5.1

0.5.2

0.6.0

0.6.1

0.7.0

0.7.1

0.8.0

0.8.1

0.8.2

0.9.0

0.9.1

0.9.2

0.9.3

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.3.4

1.4.0

2.*

2.0.0

2.0.1

2.0.2

2.1.0

2.3.0

2.4.0

3.*

3.0.0

3.3.0

3.4.0

3.4.0.dev1

3.4.0.dev2

3.4.0.dev3

3.4.0.dev4

3.4.0.dev5

3.4.0.dev6

3.4.0.dev7

3.4.0.dev8

3.4.0rc1

3.4.0rc2

3.5.0

3.5.0.dev1

3.5.0.dev2

3.5.0.dev3

3.5.0.dev4

3.5.0.dev5

3.5.0.dev6

3.5.0.dev7

3.5.0.dev8

3.5.0rc1

3.5.0rc2

3.6.0

3.6.0.dev1

3.6.0rc1

3.6.0rc2

3.7.0.dev1

3.7.0.dev2

3.7.0.dev3

3.7.0.dev4

3.7.0.dev5

3.7.0.dev6

3.7.0.dev7

3.7.0.dev8

3.7.0.dev9

3.7.0rc1

3.7.0rc2

3.8.0

3.8.0.dev1

3.8.0.dev2

3.8.0.dev3

3.8.0.dev4

3.8.0rc1

3.8.0rc2

3.8.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21883.json"