CVE-2026-40864
medium
CVSS v3
5.4
CVSS v2
—
VIR risk
5.4
Description
JupyterHub has cross-origin form POSTs bypass XSRF (CWE-352)
Predictions
Exploit likelihood
64%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-40864
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | forky | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | jupyterhub | >=4.1.0,<5.4.5 | 5.4.5 |
| PIP | jupyterhub | >= 4.1.0, < 5.4.5 | 5.4.5 |
References
- https://github.com/jupyterhub/jupyterhub/commit/9c5ec277d3cda5a59de2d8c8117efa77bd941127
- https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-m68r-v472-jgq9
- https://github.com/jupyterhub/jupyterhub
- https://security-tracker.debian.org/tracker/CVE-2026-40864
- https://github.com/advisories/GHSA-m68r-v472-jgq9
CWEs
CWE-352
Verify integrity in audit chain (admin only). AS-IS.