Platform
python
Component
oauthenticator
Fixed in
17.4.1
CVE-2026-33175 describes an authentication bypass vulnerability in oauthenticator, a Python package used with JupyterHub for OAuth2 identity providers. This flaw allows an attacker possessing an unverified email address within an Auth0 tenant to circumvent authentication controls and gain unauthorized access. The vulnerability affects versions 0.0.0 up to 17.3.9, and a patch is available in version 17.4.0.
The primary impact of this vulnerability is account takeover within JupyterHub environments. By leveraging an unverified email address in Auth0, an attacker can bypass the standard authentication process and impersonate legitimate users. This can lead to unauthorized access to sensitive data, modification of Jupyter notebooks, and potentially, lateral movement within the network if JupyterHub is integrated with other systems. The ability to control the username claim further exacerbates the risk, allowing attackers to create accounts with predictable or malicious usernames.
This vulnerability was publicly disclosed on 2026-04-03. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation, coupled with the potential for account takeover, warrants careful attention and prompt remediation.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade oauthenticator to version 17.4.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to JupyterHub based on verified email addresses within Auth0. Implement stricter authentication policies within Auth0 to minimize the risk of unverified email addresses being used for malicious purposes. Monitor JupyterHub logs for suspicious login attempts, particularly those associated with unverified email addresses.
Update oauthenticator to version 17.4.0 or higher to mitigate the authentication bypass vulnerability. This update fixes the issue by verifying email claims before allowing login to JupyterHub, thus preventing the possibility of account takeover.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33175 is a HIGH severity vulnerability in oauthenticator allowing attackers with unverified Auth0 emails to bypass authentication and potentially take over JupyterHub accounts.
You are affected if you are using oauthenticator versions 0.0.0 through 17.3.9 with JupyterHub and rely on Auth0 for authentication.
Upgrade oauthenticator to version 17.4.0 or later to resolve the authentication bypass vulnerability.
As of the current assessment, there are no known public exploits or active campaigns targeting CVE-2026-33175.
Refer to the oauthenticator project's release notes and security advisories for official information regarding CVE-2026-33175.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.