CVE-2026-40934
Authentication Cookie Secret Persistence in Jupyter Server
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jupyter | jupyter_server | to 2.18.0 (exc) |
| jupyter | jupyter_server | 2.18.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Jupyter Server versions 2.17.0 and earlier. The secret key used to sign authentication cookies is stored in a static file and is never changed when a user resets their password. As a result, any authentication cookies issued before the password reset remain valid even after the password has been changed. This means an attacker who has obtained a session cookie can continue to access the server with full authentication despite password changes.
How can this vulnerability impact me? :
The vulnerability allows an attacker who has captured a session cookie to maintain unauthorized access to the Jupyter Server even after the legitimate user changes their password. This undermines the security of password-based authentication, especially on shared or public-facing servers where users expect that changing their password will revoke existing sessions. Consequently, it can lead to persistent unauthorized access and potential data exposure.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Jupyter Server to version 2.18.0 or later, where the issue has been fixed.
Until the upgrade is applied, be aware that password resets do not invalidate existing authentication cookies, so consider restarting the server and invalidating sessions manually.
Avoid using password-based authentication on shared or public-facing servers where session revocation is critical.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows previously issued authentication cookies to remain valid even after a user changes their password, enabling an attacker who has captured a session cookie to retain full authenticated access. This undermines expected credential rotation and session revocation mechanisms.
Such persistent access could lead to unauthorized data exposure or access, which may conflict with compliance requirements in standards like GDPR and HIPAA that mandate strict access controls, session management, and protection of sensitive data.
Therefore, deployments affected by this vulnerability, especially shared or public-facing servers, may face challenges in meeting compliance obligations related to user authentication and session security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the persistence of the secret used to sign authentication cookies in Jupyter Server versions 2.17.0 and earlier. To detect if your system is vulnerable, you need to check the version of Jupyter Server running and verify the presence of the static cookie secret file.
- Check the Jupyter Server version to see if it is 2.17.0 or earlier.
- Look for the cookie secret file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret.
- If the file exists and the version is vulnerable, the system is likely affected.
Example commands to perform these checks on a Unix-like system:
- Check Jupyter Server version: `jupyter server --version`
- Check for the cookie secret file: `ls -l ~/.local/share/jupyter/runtime/jupyter_cookie_secret`