UBUNTU-CVE-2026-40864

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-40864

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40864.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-40864

Upstream

CVE-2026-40864

Published

2026-05-22T21:16:00Z

Modified

2026-06-03T07:15:13.188061394Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker's server. This issue has been fixed in version 5.4.5. If developers are unable to immediately upgrade, they can temporarily mitigate this issue by dropping requests to JupyterHub with Sec-Fetch-Mode: no-cors if they are using a reverse proxy.

References

Affected packages

Ubuntu:22.04:LTS / jupyterhub

Package

Name: jupyterhub
Purl: pkg:deb/ubuntu/jupyterhub?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.0+ds1-1

2.0.0+ds1-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "jupyterhub",
            "binary_version": "2.0.0+ds1-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40864.json"

Ubuntu:24.04:LTS / jupyterhub

Package

Name: jupyterhub
Purl: pkg:deb/ubuntu/jupyterhub?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.0+ds1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "jupyterhub",
            "binary_version": "3.0.0+ds1-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40864.json"

Ubuntu:25.10 / jupyterhub

Package

Name: jupyterhub
Purl: pkg:deb/ubuntu/jupyterhub?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.2.1+ds1-2

5.2.1+ds1-3

5.2.1+ds1-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "jupyterhub",
            "binary_version": "5.2.1+ds1-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40864.json"

Ubuntu:26.04:LTS / jupyterhub

Package

Name: jupyterhub
Purl: pkg:deb/ubuntu/jupyterhub?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.2.1+ds1-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "jupyterhub",
            "binary_version": "5.2.1+ds1-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40864.json"