VIR Vulnerability Intelligence Relay

CVE-2026-40934

medium
Published 2026-05-05 · Modified 2026-05-20
CVSS v3
6.8
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS v2
VIR risk
6.8

Description

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.

Predictions

Exploit likelihood
77%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-40934

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianbullseyeaffected
debian debianforkyaffected
debian debiansidaffected
debian debiantrixieaffected

Package impact
EcosystemPackageVulnerableFixed
python PyPIjupyter-server<2.18.02.18.0
PIPjupyter-server<= 2.17.02.18.0

Application impact
VendorProductVersionsFixed
jupyterjupyter_server{"endExcluding":"2.18.0"}2.18.0

References

CWEs

CWE-613

Verify integrity in audit chain (admin only). AS-IS.