JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
{ "binaries": [ { "binary_name": "jupyterhub", "binary_version": "2.0.0+ds1-2" } ] }
{ "binaries": [ { "binary_name": "jupyterhub", "binary_version": "3.0.0+ds1-1" } ] }
{ "binaries": [ { "binary_name": "jupyterhub", "binary_version": "5.2.1+ds1-2" } ] }