CVE-2026-6657

MEDIUM 6.1

CORS Origin Validation Bypass in jupyter-server

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. This allows attacker-controlled domains such as `trusted.example.com.evil.com` to pass validation against patterns intended to match `trusted.example.com`. The vulnerability affects multiple locations in the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects, potentially enabling phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses.

CWE	CWE-346
Vendor	jupyter
Product	jupyter/jupyter
Published	Jun 3, 2026
Last Updated	Jun 3, 2026

Stay Ahead of the Next One

Get instant alerts for jupyter jupyter/jupyter

Be the first to know when new medium vulnerabilities affecting jupyter jupyter/jupyter are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Versions

jupyter / jupyter/jupyter

unspecified ≤ latest

References

NVD ↗ CVE.org ↗ EPSS Data ↗

huntr.com: https://huntr.com/bounties/18f642db-3569-43b3-b58d-ff97be4b09d7