Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-40934 (GCVE-0-2026-40934)
Vulnerability from cvelistv5 – Published: 2026-05-05 21:31 – Updated: 2026-05-07 12:48
VLAI
EPSS
Title
jupyter-server authentication cookies remain valid after password reset due to static cookie secret
Summary
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.
Severity
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/jupyter-server/jupyter_server/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jupyter-server | jupyter_server |
Affected:
< 2.18.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T03:55:46.015938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T12:48:21.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jupyter_server",
"vendor": "jupyter-server",
"versions": [
{
"status": "affected",
"version": "\u003c 2.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T21:31:42.897Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f"
}
],
"source": {
"advisory": "GHSA-5mrq-x3x5-8v8f",
"discovery": "UNKNOWN"
},
"title": "jupyter-server authentication cookies remain valid after password reset due to static cookie secret"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40934",
"datePublished": "2026-05-05T21:31:42.897Z",
"dateReserved": "2026-04-15T20:40:15.518Z",
"dateUpdated": "2026-05-07T12:48:21.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-40934",
"date": "2026-05-27",
"epss": "0.00018",
"percentile": "0.05033"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-40934\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-05T22:16:00.820\",\"lastModified\":\"2026-05-11T13:00:39.473\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-613\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.18.0\",\"matchCriteriaId\":\"E0B6C703-7E28-4F23-9878-E157975C32A4\"}]}]}],\"references\":[{\"url\":\"https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Mitigation\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40934\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-07T03:55:46.015938Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-06T14:51:42.855Z\"}}], \"cna\": {\"title\": \"jupyter-server authentication cookies remain valid after password reset due to static cookie secret\", \"source\": {\"advisory\": \"GHSA-5mrq-x3x5-8v8f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"jupyter-server\", \"product\": \"jupyter_server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.18.0\"}]}], \"references\": [{\"url\": \"https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f\", \"name\": \"https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-613\", \"description\": \"CWE-613: Insufficient Session Expiration\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-05T21:31:42.897Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-40934\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-06T14:52:39.078Z\", \"dateReserved\": \"2026-04-15T20:40:15.518Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-05T21:31:42.897Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-40934
Vulnerability from fkie_nvd - Published: 2026-05-05 22:16 - Updated: 2026-05-11 13:00
Severity
Summary
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f | Exploit, Vendor Advisory, Mitigation |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jupyter | jupyter_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E0B6C703-7E28-4F23-9878-E157975C32A4",
"versionEndExcluding": "2.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0."
}
],
"id": "CVE-2026-40934",
"lastModified": "2026-05-11T13:00:39.473",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-05T22:16:00.820",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory",
"Mitigation"
],
"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-5MRQ-X3X5-8V8F
Vulnerability from github – Published: 2026-05-05 17:03 – Updated: 2026-05-08 15:36
VLAI
Summary
Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart
Details
Summary
A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes.
The cookie secret used to sign authentication cookies is stored in a permanent file (~/.local/share/jupyter/runtime/jupyter_cookie_secret) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets.
PoC
- Start a Jupyter server with password authentication:
jupyter server password,jupyter server - Log in with the password and capture the authentication cookie (e.g., just login with a browser).
- Change the password to revoke access:
jupyter server password - Restart the server
- Use the old stolen cookie => remains valid and provides full authenticated access.
Impact
- All jupyter-server deployments using password authentication where security incidents may occur
- Multi-user systems where one user's compromised session should be revocable by administrators
- Shared or public-facing Jupyter servers where credential rotation is a security requirement
- Any deployment where password changes are expected to revoke existing sessions
Patches
Jupyter Server 2.18+
Workaround
rm ~/.local/share/jupyter/runtime/jupyter_cookie_secret
# Then restart the server
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.17.0"
},
"package": {
"ecosystem": "PyPI",
"name": "jupyter-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40934"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T17:03:24Z",
"nvd_published_at": "2026-05-05T22:16:00Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes. \n\nThe cookie secret used to sign authentication cookies is stored in a permanent file (`~/.local/share/jupyter/runtime/jupyter_cookie_secret`) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets.\n\n## PoC\n\n- Start a Jupyter server with password authentication: `jupyter server password`, `jupyter server`\n- Log in with the password and capture the authentication cookie (e.g., just login with a browser).\n- Change the password to revoke access: `jupyter server password`\n- Restart the server\n- Use the old stolen cookie =\u003e remains valid and provides full authenticated access.\n\n## Impact\n\n- All jupyter-server deployments using password authentication where security incidents may occur\n- Multi-user systems where one user\u0027s compromised session should be revocable by administrators\n- Shared or public-facing Jupyter servers where credential rotation is a security requirement\n- Any deployment where password changes are expected to revoke existing sessions\n\n## Patches\n\nJupyter Server 2.18+\n\n## Workaround\n\n```bash\nrm ~/.local/share/jupyter/runtime/jupyter_cookie_secret\n# Then restart the server\n```",
"id": "GHSA-5mrq-x3x5-8v8f",
"modified": "2026-05-08T15:36:26Z",
"published": "2026-05-05T17:03:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40934"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyter-server/jupyter_server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jupyter Server\u0027s Authentication Cookies Remain Valid After Password Reset and Server Restart"
}
OPENSUSE-SU-2026:10710-1
Vulnerability from csaf_opensuse - Published: 2026-05-06 00:00 - Updated: 2026-05-06 00:00Summary
python311-jupyter-server-2.18.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: python311-jupyter-server-2.18.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the python311-jupyter-server-2.18.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10710
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-jupyter-server-2.18.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-jupyter-server-2.18.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10710",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10710-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-61669 page",
"url": "https://www.suse.com/security/cve/CVE-2025-61669/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35397 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35397/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40110 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40110/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40934 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40934/"
}
],
"title": "python311-jupyter-server-2.18.1-1.1 on GA media",
"tracking": {
"current_release_date": "2026-05-06T00:00:00Z",
"generator": {
"date": "2026-05-06T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10710-1",
"initial_release_date": "2026-05-06T00:00:00Z",
"revision_history": [
{
"date": "2026-05-06T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-jupyter-server-2.18.1-1.1.aarch64",
"product": {
"name": "python311-jupyter-server-2.18.1-1.1.aarch64",
"product_id": "python311-jupyter-server-2.18.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-jupyter-server-test-2.18.1-1.1.aarch64",
"product": {
"name": "python311-jupyter-server-test-2.18.1-1.1.aarch64",
"product_id": "python311-jupyter-server-test-2.18.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-2.18.1-1.1.aarch64",
"product": {
"name": "python313-jupyter-server-2.18.1-1.1.aarch64",
"product_id": "python313-jupyter-server-2.18.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-test-2.18.1-1.1.aarch64",
"product": {
"name": "python313-jupyter-server-test-2.18.1-1.1.aarch64",
"product_id": "python313-jupyter-server-test-2.18.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-2.18.1-1.1.aarch64",
"product": {
"name": "python314-jupyter-server-2.18.1-1.1.aarch64",
"product_id": "python314-jupyter-server-2.18.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-test-2.18.1-1.1.aarch64",
"product": {
"name": "python314-jupyter-server-test-2.18.1-1.1.aarch64",
"product_id": "python314-jupyter-server-test-2.18.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-jupyter-server-2.18.1-1.1.ppc64le",
"product": {
"name": "python311-jupyter-server-2.18.1-1.1.ppc64le",
"product_id": "python311-jupyter-server-2.18.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"product": {
"name": "python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"product_id": "python311-jupyter-server-test-2.18.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-2.18.1-1.1.ppc64le",
"product": {
"name": "python313-jupyter-server-2.18.1-1.1.ppc64le",
"product_id": "python313-jupyter-server-2.18.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"product": {
"name": "python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"product_id": "python313-jupyter-server-test-2.18.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-2.18.1-1.1.ppc64le",
"product": {
"name": "python314-jupyter-server-2.18.1-1.1.ppc64le",
"product_id": "python314-jupyter-server-2.18.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"product": {
"name": "python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"product_id": "python314-jupyter-server-test-2.18.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-jupyter-server-2.18.1-1.1.s390x",
"product": {
"name": "python311-jupyter-server-2.18.1-1.1.s390x",
"product_id": "python311-jupyter-server-2.18.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-jupyter-server-test-2.18.1-1.1.s390x",
"product": {
"name": "python311-jupyter-server-test-2.18.1-1.1.s390x",
"product_id": "python311-jupyter-server-test-2.18.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-2.18.1-1.1.s390x",
"product": {
"name": "python313-jupyter-server-2.18.1-1.1.s390x",
"product_id": "python313-jupyter-server-2.18.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-test-2.18.1-1.1.s390x",
"product": {
"name": "python313-jupyter-server-test-2.18.1-1.1.s390x",
"product_id": "python313-jupyter-server-test-2.18.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-2.18.1-1.1.s390x",
"product": {
"name": "python314-jupyter-server-2.18.1-1.1.s390x",
"product_id": "python314-jupyter-server-2.18.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-test-2.18.1-1.1.s390x",
"product": {
"name": "python314-jupyter-server-test-2.18.1-1.1.s390x",
"product_id": "python314-jupyter-server-test-2.18.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-jupyter-server-2.18.1-1.1.x86_64",
"product": {
"name": "python311-jupyter-server-2.18.1-1.1.x86_64",
"product_id": "python311-jupyter-server-2.18.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-jupyter-server-test-2.18.1-1.1.x86_64",
"product": {
"name": "python311-jupyter-server-test-2.18.1-1.1.x86_64",
"product_id": "python311-jupyter-server-test-2.18.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-2.18.1-1.1.x86_64",
"product": {
"name": "python313-jupyter-server-2.18.1-1.1.x86_64",
"product_id": "python313-jupyter-server-2.18.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-jupyter-server-test-2.18.1-1.1.x86_64",
"product": {
"name": "python313-jupyter-server-test-2.18.1-1.1.x86_64",
"product_id": "python313-jupyter-server-test-2.18.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-2.18.1-1.1.x86_64",
"product": {
"name": "python314-jupyter-server-2.18.1-1.1.x86_64",
"product_id": "python314-jupyter-server-2.18.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python314-jupyter-server-test-2.18.1-1.1.x86_64",
"product": {
"name": "python314-jupyter-server-test-2.18.1-1.1.x86_64",
"product_id": "python314-jupyter-server-test-2.18.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64"
},
"product_reference": "python311-jupyter-server-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le"
},
"product_reference": "python311-jupyter-server-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x"
},
"product_reference": "python311-jupyter-server-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64"
},
"product_reference": "python311-jupyter-server-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-test-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64"
},
"product_reference": "python311-jupyter-server-test-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-test-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le"
},
"product_reference": "python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-test-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x"
},
"product_reference": "python311-jupyter-server-test-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-jupyter-server-test-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64"
},
"product_reference": "python311-jupyter-server-test-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64"
},
"product_reference": "python313-jupyter-server-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le"
},
"product_reference": "python313-jupyter-server-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x"
},
"product_reference": "python313-jupyter-server-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64"
},
"product_reference": "python313-jupyter-server-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-test-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64"
},
"product_reference": "python313-jupyter-server-test-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-test-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le"
},
"product_reference": "python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-test-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x"
},
"product_reference": "python313-jupyter-server-test-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-jupyter-server-test-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64"
},
"product_reference": "python313-jupyter-server-test-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64"
},
"product_reference": "python314-jupyter-server-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le"
},
"product_reference": "python314-jupyter-server-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x"
},
"product_reference": "python314-jupyter-server-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64"
},
"product_reference": "python314-jupyter-server-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-test-2.18.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64"
},
"product_reference": "python314-jupyter-server-test-2.18.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-test-2.18.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le"
},
"product_reference": "python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-test-2.18.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x"
},
"product_reference": "python314-jupyter-server-test-2.18.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-jupyter-server-test-2.18.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
},
"product_reference": "python314-jupyter-server-test-2.18.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61669",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-61669"
}
],
"notes": [
{
"category": "general",
"text": "Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-61669",
"url": "https://www.suse.com/security/cve/CVE-2025-61669"
},
{
"category": "external",
"summary": "SUSE Bug 1264161 for CVE-2025-61669",
"url": "https://bugzilla.suse.com/1264161"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-61669"
},
{
"cve": "CVE-2026-35397",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35397"
}
],
"notes": [
{
"category": "general",
"text": "Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named \"test\", the API permits access to a sibling directory named \"testtest\" through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named \"user1\" could access directories for user10 through user19 and beyond. A user who can choose a single-character folder name could gain access to a significant number of sibling directories. \n\nVersion 2.18.0 contains a fix. As a workaround, ensure folder names do not share a common prefix with any sibling directory.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35397",
"url": "https://www.suse.com/security/cve/CVE-2026-35397"
},
{
"category": "external",
"summary": "SUSE Bug 1264212 for CVE-2026-35397",
"url": "https://bugzilla.suse.com/1264212"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-35397"
},
{
"cve": "CVE-2026-40110",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40110"
}
],
"notes": [
{
"category": "general",
"text": "Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python\u0027s re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40110",
"url": "https://www.suse.com/security/cve/CVE-2026-40110"
},
{
"category": "external",
"summary": "SUSE Bug 1264213 for CVE-2026-40110",
"url": "https://bugzilla.suse.com/1264213"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-40110"
},
{
"cve": "CVE-2026-40934",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40934"
}
],
"notes": [
{
"category": "general",
"text": "Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40934",
"url": "https://www.suse.com/security/cve/CVE-2026-40934"
},
{
"category": "external",
"summary": "SUSE Bug 1264214 for CVE-2026-40934",
"url": "https://bugzilla.suse.com/1264214"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python311-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python313-jupyter-server-test-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-2.18.1-1.1.x86_64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.aarch64",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.ppc64le",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.s390x",
"openSUSE Tumbleweed:python314-jupyter-server-test-2.18.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-40934"
}
]
}
PYSEC-2026-69
Vulnerability from pysec - Published: 2026-05-05 22:16 - Updated: 2026-05-20 09:19
VLAI
Details
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.
Severity
6.8 (Medium)
Impacted products
| Name | purl | jupyter-server | pkg:pypi/jupyter-server |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "jupyter-server",
"purl": "pkg:pypi/jupyter-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.18.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.0",
"0.0.1",
"0.0.2",
"0.0.3",
"0.0.4",
"0.0.5",
"0.1.0",
"0.1.1",
"0.2.0",
"0.2.1",
"0.3.0",
"1.0.0",
"1.0.0rc0",
"1.0.0rc1",
"1.0.0rc10",
"1.0.0rc11",
"1.0.0rc12",
"1.0.0rc13",
"1.0.0rc14",
"1.0.0rc15",
"1.0.0rc16",
"1.0.0rc2",
"1.0.0rc3",
"1.0.0rc4",
"1.0.0rc5",
"1.0.0rc6",
"1.0.0rc7",
"1.0.0rc8",
"1.0.0rc9",
"1.0.1",
"1.0.10",
"1.0.11",
"1.0.2",
"1.0.3",
"1.0.4",
"1.0.5",
"1.0.6",
"1.0.7",
"1.0.8",
"1.0.9",
"1.1.0",
"1.1.1",
"1.1.2",
"1.1.3",
"1.1.4",
"1.10.0",
"1.10.1",
"1.10.2",
"1.11.0",
"1.11.1",
"1.11.2",
"1.12.0",
"1.12.1",
"1.13.0",
"1.13.1",
"1.13.2",
"1.13.3",
"1.13.4",
"1.13.5",
"1.15.0",
"1.15.1",
"1.15.2",
"1.15.3",
"1.15.4",
"1.15.5",
"1.15.6",
"1.16.0",
"1.17.0",
"1.17.1",
"1.18.0",
"1.18.1",
"1.19.0",
"1.19.1",
"1.2.0",
"1.2.1",
"1.2.2",
"1.2.3",
"1.21.0",
"1.23.0",
"1.23.1",
"1.23.2",
"1.23.3",
"1.23.4",
"1.23.5",
"1.23.6",
"1.24.0",
"1.3.0",
"1.4.0",
"1.4.1",
"1.5.0",
"1.5.1",
"1.6.0",
"1.6.1",
"1.6.2",
"1.6.3",
"1.6.4",
"1.7.0",
"1.7.0a1",
"1.7.0a2",
"1.8.0",
"1.9.0",
"2.0.0",
"2.0.0a0",
"2.0.0a1",
"2.0.0a2",
"2.0.0b0",
"2.0.0b1",
"2.0.0rc0",
"2.0.0rc1",
"2.0.0rc2",
"2.0.0rc3",
"2.0.0rc4",
"2.0.0rc5",
"2.0.0rc6",
"2.0.0rc7",
"2.0.0rc8",
"2.0.1",
"2.0.2",
"2.0.3",
"2.0.4",
"2.0.5",
"2.0.6",
"2.0.7",
"2.1.0",
"2.10.0",
"2.10.1",
"2.11.0",
"2.11.1",
"2.11.2",
"2.12.0",
"2.12.1",
"2.12.2",
"2.12.3",
"2.12.4",
"2.12.5",
"2.13.0",
"2.14.0",
"2.14.1",
"2.14.2",
"2.15.0",
"2.16.0",
"2.17.0",
"2.2.0",
"2.2.1",
"2.3.0",
"2.4.0",
"2.5.0",
"2.6.0",
"2.7.0",
"2.7.1",
"2.7.2",
"2.7.3",
"2.8.0",
"2.9.0",
"2.9.1"
]
}
],
"aliases": [
"CVE-2026-40934",
"GHSA-5mrq-x3x5-8v8f"
],
"details": "Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.",
"id": "PYSEC-2026-69",
"modified": "2026-05-20T09:19:02.981614Z",
"published": "2026-05-05T22:16:00.820Z",
"references": [
{
"type": "EVIDENCE",
"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…