प्लेटफ़ॉर्म
python
घटक
oauthenticator
में ठीक किया गया
17.4.1
CVE-2026-33175 describes an authentication bypass vulnerability in oauthenticator, a Python package used with JupyterHub for OAuth2 identity providers. This flaw allows an attacker possessing an unverified email address within an Auth0 tenant to circumvent authentication controls and gain unauthorized access. The vulnerability affects versions 0.0.0 up to 17.3.9, and a patch is available in version 17.4.0.
The primary impact of this vulnerability is account takeover within JupyterHub environments. By leveraging an unverified email address in Auth0, an attacker can bypass the standard authentication process and impersonate legitimate users. This can lead to unauthorized access to sensitive data, modification of Jupyter notebooks, and potentially, lateral movement within the network if JupyterHub is integrated with other systems. The ability to control the username claim further exacerbates the risk, allowing attackers to create accounts with predictable or malicious usernames.
This vulnerability was publicly disclosed on 2026-04-03. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation, coupled with the potential for account takeover, warrants careful attention and prompt remediation.
Organizations utilizing JupyterHub with oauthenticator for authentication, particularly those relying on Auth0 for identity management, are at risk. This includes research institutions, data science teams, and educational organizations where JupyterHub is used for collaborative coding and data analysis. Legacy JupyterHub deployments with older oauthenticator versions are especially vulnerable.
• python / JupyterHub:
import subprocess
result = subprocess.run(['pip', 'show', 'oauthenticator'], capture_output=True, text=True)
if 'Version' in result.stdout:
version = result.stdout.split('Version: ')[1].split('\n')[0]
if version < '17.4.0':
print('Vulnerability detected: oauthenticator version is < 17.4.0')
else:
print('oauthenticator not found.')• python / JupyterHub: Check JupyterHub logs for login attempts using unverified email addresses from Auth0. • generic web: Monitor JupyterHub login endpoints for unusual activity or requests from suspicious IP addresses.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.10% (28% शतमक)
CISA SSVC
CVSS वेक्टर
The recommended mitigation is to immediately upgrade oauthenticator to version 17.4.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to JupyterHub based on verified email addresses within Auth0. Implement stricter authentication policies within Auth0 to minimize the risk of unverified email addresses being used for malicious purposes. Monitor JupyterHub logs for suspicious login attempts, particularly those associated with unverified email addresses.
OAuthenticator को संस्करण 17.4.0 या उच्चतर में अपडेट करें ताकि प्रमाणीकरण बाईपास भेद्यता को कम किया जा सके। यह अपडेट JupyterHub में लॉग इन करने से पहले ईमेल दावों को सत्यापित करके समस्या को ठीक करता है, जिससे खाते पर कब्ज़ा करने की संभावना को रोका जा सकता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-33175 is a HIGH severity vulnerability in oauthenticator allowing attackers with unverified Auth0 emails to bypass authentication and potentially take over JupyterHub accounts.
You are affected if you are using oauthenticator versions 0.0.0 through 17.3.9 with JupyterHub and rely on Auth0 for authentication.
Upgrade oauthenticator to version 17.4.0 or later to resolve the authentication bypass vulnerability.
As of the current assessment, there are no known public exploits or active campaigns targeting CVE-2026-33175.
Refer to the oauthenticator project's release notes and security advisories for official information regarding CVE-2026-33175.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।