Insecure Extension Management in JupyterLab by Project Jupyter
CVE-2026-42266

8.8HIGH

Key Information:

Vendor: Jupyterlab
Status: Jupyterlab
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42266?

JupyterLab, an extensible computing environment built on the Jupyter Notebook Architecture, has a vulnerability in versions 4.0.0 to 4.5.6. The allow-list for extensions that can be installed via the PyPI Extension Manager does not enforce restrictions properly, allowing potential installation from unauthorized packages outside the default PyPI index. This flaw was addressed in version 4.5.7, which correctly enforces the allowed extensions, mitigating the risk of malicious extension installations.

Affected Version(s)

jupyterlab >= 4.0.0, < 4.5.7

References

https://github.com/jupyterlab/jupyterlab/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42266 Data

JSON

Jupyterlab

What is CVE-2026-42266?

Affected Version(s)

References

CVSS V3.1

Timeline