CVE-2026-40934
Analyzed Analyzed - Analysis Complete
Authentication Cookie Secret Persistence in Jupyter Server

Publication date: 2026-05-05

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40934
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jupyter jupyter_server to 2.18.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Jupyter Server versions 2.17.0 and earlier. The secret key used to sign authentication cookies is stored in a static file and is never changed when a user resets their password. As a result, any authentication cookies issued before the password reset remain valid even after the password has been changed. This means an attacker who has obtained a session cookie can continue to access the server with full authentication despite password changes.

Detection Guidance

This vulnerability involves the persistence of the secret used to sign authentication cookies in Jupyter Server versions 2.17.0 and earlier. To detect if your system is vulnerable, you need to check the version of Jupyter Server running and verify the presence of the static cookie secret file.

  • Check the Jupyter Server version to see if it is 2.17.0 or earlier.
  • Look for the cookie secret file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret.
  • If the file exists and the version is vulnerable, the system is likely affected.

Example commands to perform these checks on a Unix-like system:

  • Check Jupyter Server version: `jupyter server --version`
  • Check for the cookie secret file: `ls -l ~/.local/share/jupyter/runtime/jupyter_cookie_secret`
Impact Analysis

The vulnerability allows an attacker who has captured a session cookie to maintain unauthorized access to the Jupyter Server even after the legitimate user changes their password. This undermines the security of password-based authentication, especially on shared or public-facing servers where users expect that changing their password will revoke existing sessions. Consequently, it can lead to persistent unauthorized access and potential data exposure.

Mitigation Strategies

To mitigate this vulnerability, upgrade Jupyter Server to version 2.18.0 or later, where the issue has been fixed.

Until the upgrade is applied, be aware that password resets do not invalidate existing authentication cookies, so consider restarting the server and invalidating sessions manually.

Avoid using password-based authentication on shared or public-facing servers where session revocation is critical.

Compliance Impact

This vulnerability allows previously issued authentication cookies to remain valid even after a user changes their password, enabling an attacker who has captured a session cookie to retain full authenticated access. This undermines expected credential rotation and session revocation mechanisms.

Such persistent access could lead to unauthorized data exposure or access, which may conflict with compliance requirements in standards like GDPR and HIPAA that mandate strict access controls, session management, and protection of sensitive data.

Therefore, deployments affected by this vulnerability, especially shared or public-facing servers, may face challenges in meeting compliance obligations related to user authentication and session security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40934. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart