平台
python
组件
oauthenticator
修复版本
17.4.1
CVE-2026-33175 describes an authentication bypass vulnerability in oauthenticator, a Python package used with JupyterHub for OAuth2 identity providers. This flaw allows an attacker possessing an unverified email address within an Auth0 tenant to circumvent authentication controls and gain unauthorized access. The vulnerability affects versions 0.0.0 up to 17.3.9, and a patch is available in version 17.4.0.
The primary impact of this vulnerability is account takeover within JupyterHub environments. By leveraging an unverified email address in Auth0, an attacker can bypass the standard authentication process and impersonate legitimate users. This can lead to unauthorized access to sensitive data, modification of Jupyter notebooks, and potentially, lateral movement within the network if JupyterHub is integrated with other systems. The ability to control the username claim further exacerbates the risk, allowing attackers to create accounts with predictable or malicious usernames.
This vulnerability was publicly disclosed on 2026-04-03. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation, coupled with the potential for account takeover, warrants careful attention and prompt remediation.
Organizations utilizing JupyterHub with oauthenticator for authentication, particularly those relying on Auth0 for identity management, are at risk. This includes research institutions, data science teams, and educational organizations where JupyterHub is used for collaborative coding and data analysis. Legacy JupyterHub deployments with older oauthenticator versions are especially vulnerable.
• python / JupyterHub:
import subprocess
result = subprocess.run(['pip', 'show', 'oauthenticator'], capture_output=True, text=True)
if 'Version' in result.stdout:
version = result.stdout.split('Version: ')[1].split('\n')[0]
if version < '17.4.0':
print('Vulnerability detected: oauthenticator version is < 17.4.0')
else:
print('oauthenticator not found.')• python / JupyterHub: Check JupyterHub logs for login attempts using unverified email addresses from Auth0. • generic web: Monitor JupyterHub login endpoints for unusual activity or requests from suspicious IP addresses.
disclosure
漏洞利用状态
EPSS
0.10% (28% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation is to immediately upgrade oauthenticator to version 17.4.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to JupyterHub based on verified email addresses within Auth0. Implement stricter authentication policies within Auth0 to minimize the risk of unverified email addresses being used for malicious purposes. Monitor JupyterHub logs for suspicious login attempts, particularly those associated with unverified email addresses.
将 oauthenticator 更新到 17.4.0 或更高版本以缓解身份验证绕过漏洞。此更新通过在允许登录到 JupyterHub 之前验证电子邮件声明来修复此问题,从而防止帐户接管的可能性。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-33175 is a HIGH severity vulnerability in oauthenticator allowing attackers with unverified Auth0 emails to bypass authentication and potentially take over JupyterHub accounts.
You are affected if you are using oauthenticator versions 0.0.0 through 17.3.9 with JupyterHub and rely on Auth0 for authentication.
Upgrade oauthenticator to version 17.4.0 or later to resolve the authentication bypass vulnerability.
As of the current assessment, there are no known public exploits or active campaigns targeting CVE-2026-33175.
Refer to the oauthenticator project's release notes and security advisories for official information regarding CVE-2026-33175.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 requirements.txt 文件,立即知道是否受影响。