Denial of Service Vulnerability in LTI JupyterHub Authenticator by Jupyter
CVE-2026-34052

5.9MEDIUM

Key Information:

Vendor: Jupyterhub
Status: Ltiauthenticator
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-34052?

The LTI JupyterHub Authenticator is susceptible to a denial of service due to its handling of OAuth nonces. Prior to the release of version 1.6.3, nonces were stored in a class-level dictionary that does not have any limitations on its size. This oversight allows an attacker familiar with a valid consumer key to send numerous requests with unique nonces, ultimately leading to memory exhaustion on the server. As a result, this could cause the service to become unavailable. Users are strongly advised to update to version 1.6.3, where this vulnerability has been addressed.

Affected Version(s)

ltiauthenticator < 1.6.3

References

https://github.com/jupyterhub/ltiauthenticator/security/a...

x_refsource_CONFIRM

https://github.com/jupyterhub/ltiauthenticator/releases/t...

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34052 Data

JSON

Jupyterhub

What is CVE-2026-34052?

Affected Version(s)

References

CVSS V3.1

Timeline