Authentication Bypass in OAuthenticator for JupyterHub by Jupyter Project
CVE-2026-33175

8.8HIGH

Key Information:

Vendor

Jupyterhub

Status
Oauthenticator
Vendor
CVE Published:
3 April 2026

What is CVE-2026-33175?

The OAuthenticator component used with JupyterHub is vulnerable to an authentication bypass. This allows an attacker with an unverified email address on an Auth0 tenant to log into JupyterHub, potentially leading to account takeover. When email is used as the username_claim feature, it gives attackers the ability to manipulate usernames. This vulnerability was addressed in version 17.4.0.

Affected Version(s)

oauthenticator < 17.4.0

References

https://github.com/jupyterhub/oauthenticator/security/adv...
x_refsource_CONFIRM
https://github.com/jupyterhub/oauthenticator/commit/f0c70...
x_refsource_MISC
https://github.com/jupyterhub/oauthenticator/releases/tag...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.