PYSEC-2026-1479

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/jupyter-scheduler/PYSEC-2026-1479.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1479
Aliases
Published
2026-07-07T11:45:43.373639Z
Modified
2026-07-07T17:46:13.960340678Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
jupyter-scheduler's endpoint is missing authentication
Details

Impact

jupyter_scheduler is missing an authentication check in Jupyter Server on an API endpoint (GET /scheduler/runtime_environments) which lists the names of the Conda environments on the server. In affected versions, jupyter_scheduler allows an unauthenticated user to obtain the list of Conda environment names on the server. This reveals any information that may be present in a Conda environment name.

This issue does not allow an unauthenticated third party to read, modify, or enter the Conda environments present on the server where jupyter_scheduler is running. This issue only reveals the list of Conda environment names.

Impacted versions: >=1.0.0,<=1.1.5 ; ==1.2.0 ; >=1.3.0,<=1.8.1 ; >=2.0.0,<=2.5.1

Patches

  • jupyter-scheduler==1.1.6
  • jupyter-scheduler==1.2.1
  • jupyter-scheduler==1.8.2
  • jupyter-scheduler==2.5.2

Workarounds

Server operators who are unable to upgrade can disable the jupyter-scheduler extension with:

jupyter server extension disable jupyter-scheduler

References

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

References

Affected packages

PyPI / jupyter-scheduler

Package

Name
jupyter-scheduler
View open source insights on deps.dev
Purl
pkg:pypi/jupyter-scheduler

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.1.6
Introduced
1.2.0
Fixed
1.2.1
Introduced
1.3.0
Fixed
1.8.2
Introduced
2.0.0
Fixed
2.5.2

Affected versions

1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.8.1
2.*
2.0.0
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.5.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/jupyter-scheduler/PYSEC-2026-1479.yaml"