CVE Catalog

CVE-2026-6657

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile - higher than 10% of all known CVEs

Summary

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows bypassing CORS origin validation when using the `allow_origin_pat` configuration. The issue stems from the use of `re.match()` which only anchors at the start of the string, enabling attacker-controlled domains like `trusted.example.com.evil.com` to pass validation.

Risk Assessment

The risk includes potential phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses, potentially leading to data confidentiality and integrity breaches in the organization.

Recommendation

It is recommended to immediately upgrade jupyter-server to version 2.17.1 or later, which includes a fix for this vulnerability. Also review CORS configurations and replace `allow_origin_pat` with more secure validation methods.

Original NVD description (English source)

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. This allows attacker-controlled domains such as `trusted.example.com.evil.com` to pass validation against patterns intended to match `trusted.example.com`. The vulnerability affects multiple locations in the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects, potentially enabling phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS