PYSEC-2026-2534

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/jupyterlab/PYSEC-2026-2534.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2534
Aliases
Published
2026-07-13T14:20:02.685378Z
Modified
2026-07-13T16:42:58.393120611Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L CVSS Calculator
Summary
JupyterLab vulnerable to potential authentication and CSRF tokens leak
Details

Impact

Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version.

Patches

JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.

Workarounds

No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.

References

Vulnerability reported by user @davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

References

Affected packages

PyPI / jupyterlab

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.7
Introduced
4.0.0
Fixed
4.0.11

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.13
0.1.1
0.1.2
0.2.0
0.3.0
0.4.0
0.4.1
0.5.0
0.6.0
0.7.0
0.8.0
0.9.0
0.9.1
0.10.0
0.11.0
0.11.1
0.11.2
0.11.3
0.12.0
0.12.1
0.13.0
0.13.1
0.13.2
0.14.0
0.15.0
0.15.1
0.16.0
0.16.2
0.17.0
0.17.1
0.17.2
0.17.4
0.17.5
0.18.0.dev1
0.18.0
0.18.1
0.19.0
0.20.0rc1
0.20.0
0.20.1
0.20.2
0.20.3
0.20.4
0.21.0rc1
0.21.0rc2
0.21.0rc3
0.21.0rc4
0.21.0rc5
0.21.0
0.22.0rc0
0.22.0
0.22.1
0.23.0rc0
0.23.0rc1
0.23.0
0.23.1
0.23.2
0.24.0rc0
0.24.0rc1
0.24.0rc2
0.24.0
0.24.1
0.25.0rc0
0.25.0rc1
0.25.0
0.25.1
0.25.2rc0
0.25.2
0.26.0rc0
0.26.0rc1
0.26.0
0.26.1
0.26.2
0.26.3
0.26.4
0.26.5
0.27.0rc0
0.27.0rc1
0.27.0rc2
0.27.0rc3
0.27.0rc4
0.27.0rc5
0.27.0
0.27.1
0.27.2
0.28.0rc0
0.28.0rc1
0.28.0rc2
0.28.0rc3
0.28.0
0.28.1
0.28.2
0.28.3
0.28.4
0.28.5
0.28.6
0.28.7
0.28.8
0.28.10
0.28.11
0.28.12
0.28.13
0.28.14
0.28.15
0.29.0rc0
0.29.0
0.29.1
0.29.2
0.30.0rc0
0.30.0rc1
0.30.0
0.30.1
0.30.2
0.30.3
0.30.4
0.30.5
0.30.6
0.31.0rc0
0.31.0rc1
0.31.0rc2
0.31.0
0.31.1
0.31.2
0.31.3
0.31.4
0.31.5
0.31.6
0.31.7
0.31.8
0.31.9
0.31.10
0.31.11
0.31.12
0.32.0rc0
0.32.0rc1
0.32.0
0.32.1
0.33.0rc0
0.33.0rc1
0.33.0
0.33.1
0.33.2
0.33.3
0.33.4
0.33.5
0.33.6
0.33.7
0.33.8
0.33.9
0.33.10
0.33.11
0.33.12
0.34.0rc0
0.34.0rc1
0.34.0rc2
0.34.0
0.34.1
0.34.2
0.34.3
0.34.4
0.34.5
0.34.6
0.34.7
0.34.8
0.34.9
0.34.10
0.34.11
0.34.12
0.35.0rc0
0.35.0rc1
0.35.0rc2
0.35.0
0.35.1
0.35.2
0.35.3
0.35.4
0.35.5
0.35.6
1.*
1.0.0a0
1.0.0a1
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0a5
1.0.0a6
1.0.0a7
1.0.0a8
1.0.0a9
1.0.0a10
1.0.0rc0
1.0.0rc1
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.9
1.0.10
1.1.0a0
1.1.0a1
1.1.0a2
1.1.0rc0
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2.0a0
1.2.0a1
1.2.0a2
1.2.0a3
1.2.0rc0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.19
1.2.20
1.2.21
2.*
2.0.0a0
2.0.0a1
2.0.0a3
2.0.0a4
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0rc0
2.0.0rc1
2.0.0rc2
2.0.0
2.0.1rc0
2.0.1
2.0.2
2.1.0a0
2.1.0b0
2.1.0rc0
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2.0a0
2.2.0a1
2.2.0rc1
2.2.0
2.2.1
2.2.2
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0a0
2.3.0a1
2.3.0a2
2.3.0rc0
2.3.0
2.3.1
2.3.2
3.*
3.0.0a0
3.0.0a3
3.0.0a4
3.0.0a5
3.0.0a6
3.0.0a7
3.0.0a8
3.0.0a9
3.0.0a10
3.0.0a11
3.0.0a12
3.0.0a13
3.0.0a14
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0b6
3.0.0b7
3.0.0b8
3.0.0rc0
3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0rc5
3.0.0rc6
3.0.0rc7
3.0.0rc8
3.0.0rc9
3.0.0rc10
3.0.0rc11
3.0.0rc12
3.0.0rc13
3.0.0rc14
3.0.0rc15
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.1.0a0
3.1.0a1
3.1.0a2
3.1.0a3
3.1.0a4
3.1.0a5
3.1.0a6
3.1.0a7
3.1.0a8
3.1.0a9
3.1.0a10
3.1.0a11
3.1.0a12
3.1.0a13
3.1.0b0
3.1.0b1
3.1.0rc1
3.1.0rc2
3.1.0
3.1.1
3.1.2
3.1.4
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.16
3.1.17
3.1.18
3.1.19
3.2.0a0
3.2.0a1
3.2.0b0
3.2.0rc0
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.3.0a1
3.3.0a2
3.3.0a3
3.3.0b0
3.3.0rc0
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.4.0a0
3.4.0b0
3.4.0rc0
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.5.0a0
3.5.0b0
3.5.0rc0
3.5.0
3.5.1
3.5.2
3.5.3
3.6.0a0
3.6.0a1
3.6.0a2
3.6.0a3
3.6.0a4
3.6.0a5
3.6.0b0
3.6.0rc0
3.6.0rc1
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/jupyterlab/PYSEC-2026-2534.yaml"