CVE-2026-21883
WebSocket Origin Validation Bypass in Bokeh Server Allows Unauthorized Access
Publication date: 2026-01-08
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bokeh | bokeh | to 3.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1385 | The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
If you run a Bokeh server version 3.8.1 or below with an allowlist configured, an attacker can exploit this vulnerability to impersonate a trusted origin by registering a similar but malicious domain. This can lead to unauthorized WebSocket connections to your server, allowing the attacker to interact with the server as if they were the victim. The attacker could potentially access sensitive data or modify visualizations, compromising the integrity and confidentiality of your data and visual outputs. [2]
Can you explain this vulnerability to me?
This vulnerability in Bokeh server versions 3.8.1 and below involves improper origin validation in WebSocket connections. When a server is configured with an allowlist of domains, the flawed logic in the origin check allows an attacker to register a domain that starts with an allowed pattern but has additional segments (e.g., dashboard.corp.attacker.com when dashboard.corp is allowed). The attacker can lure a victim to visit this malicious domain, which then initiates a WebSocket connection to the vulnerable Bokeh server. Because the origin validation only compares the initial parts of the hostname, the server mistakenly accepts the connection. This allows the attacker to interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data or modifying visualizations. The issue was fixed in version 3.8.2. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring WebSocket connection attempts to your Bokeh server and inspecting the Origin headers of these requests. Look for connections where the Origin header matches your allowlist patterns but includes additional subdomains or suffixes (e.g., dashboard.corp.attacker.com when dashboard.corp is allowed). You can use network monitoring tools like tcpdump or Wireshark to capture WebSocket handshake requests and filter by Origin headers. For example, using tcpdump: `tcpdump -i <interface> -A -s 0 'tcp port <bokeh_server_port>' | grep Origin` to inspect Origin headers in WebSocket upgrade requests. Additionally, reviewing server logs for unexpected or suspicious Origin headers can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your Bokeh server to version 3.8.2 or later, where the origin validation logic has been fixed. This update corrects the host matching logic to properly validate wildcard hosts and ports, preventing unauthorized WebSocket connections from attacker-controlled domains. Since no workarounds are available, upgrading is the recommended action to prevent exploitation. [2, 1]