PYSEC-2026-365

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/jupyter-remote-desktop-proxy/PYSEC-2026-365.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-365
Aliases
Published
2026-06-29T11:50:35.874980Z
Modified
2026-07-01T20:22:54.840490Z
Severity
  • 9.0 (Critical) CVSS_V4 - CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
TigerVNC accessible via the network and not just via a UNIX socket as intended
Details

Summary

jupyter-remote-desktop-proxy was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by jupyter-remote-desktop-proxy were still accessible via the network.

This vulnerability does not affect users having TurboVNC as the vncserver executable.

Credits

This vulnerability was identified by Arne Gottwald at University of Göttingen and analyzed, reported, and reviewed by @frejanordsiek.

References

Affected packages

PyPI / jupyter-remote-desktop-proxy

Package

Name
jupyter-remote-desktop-proxy
View open source insights on deps.dev
Purl
pkg:pypi/jupyter-remote-desktop-proxy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.1

Affected versions

3.*
3.0.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/jupyter-remote-desktop-proxy/PYSEC-2026-365.yaml"