Session Cookie Vulnerability in Jupyter Server Affects User Authentication
CVE-2026-40934

7.6HIGH

Key Information:

Vendor: Jupyter-server
Status: Jupyter Server
Vendor: CVE Published:; 5 May 2026

🔔 Create Jupyter-server Vulnerability Alert

What is CVE-2026-40934?

Jupyter Server, the backbone of Jupyter web applications, contains a vulnerability where the secret used to sign authentication cookies is stored in a static file without rotation upon password changes. This design flaw enables an attacker who has intercepted a session cookie to retain authenticated access to the server, even after a user has reset their password. Particularly concerning for installations using password-based authentication, this issue poses a grave risk for shared or public servers where session management is critical. The vulnerability was addressed in version 2.18.0, which introduced measures to enhance the security of session cookies.

Affected Version(s)

jupyter_server < 2.18.0

References

https://github.com/jupyter-server/jupyter_server/security...

x_refsource_CONFIRM

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40934 Data

JSON