Threat Advisory

JupyterLab Extension Manager Policy Discrepancy Exploit Vulnerability

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-42266 with a CVSS score of 8.8 is a High severity vulnerability in JupyterHub, specifically affecting the JupyterLab extension manager. The issue arises from a discrepancy between the extension manager API and GUI policy, allowing an authenticated attacker to install malicious third-party extensions via a POST request. Affected software includes jupyterlab, with impacted versions ranging from 4.0.0 to 4.5.6. An attacker with access to an authenticated session, such as a student in a shared JupyterHub environment or a user in a multi-tenant JupyterLab deployment, can exploit this vulnerability to escalate their privileges, enabling data exfiltration, lateral movement, and persistent compromise of the server infrastructure. This has significant business impact, particularly for deployments relying on allow-listed extensions, kernel and terminal disabled or delegated to remote hosts, multi-tenant environments not configured for untrusted users, and PyPI Extension Manager enabled.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-42266 with a CVSS score of 8.8 is a High severity vulnerability in JupyterHub, specifically affecting the JupyterLab extension manager. The issue arises from a discrepancy between the extension manager API and GUI policy, allowing an authenticated attacker to install malicious third-party extensions via a POST request. Affected software includes jupyterlab, with impacted versions ranging from 4.0.0 to 4.5.6. An attacker with access to an authenticated session, such as a student in a shared JupyterHub environment or a user in a multi-tenant JupyterLab deployment, can exploit this vulnerability to escalate their privileges, enabling data exfiltration, lateral movement, and persistent compromise of the server infrastructure. This has significant business impact, particularly for deployments relying on allow-listed extensions, kernel and terminal disabled or delegated to remote hosts, multi-tenant environments not configured for untrusted users, and PyPI Extension Manager enabled.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update JupyterLab to version 4.5.7.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-37w4-hwhx-4rc4

[/emaillocker]
crossmenu