CVE-2026-6657
Awaiting Analysis Awaiting Analysis - Queue
CORS Origin Validation Bypass in Jupyter Server

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: huntr.dev

Description
A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. This allows attacker-controlled domains such as `trusted.example.com.evil.com` to pass validation against patterns intended to match `trusted.example.com`. The vulnerability affects multiple locations in the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects, potentially enabling phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-6657
EUVD
EUVD-2026-34104
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jupyter jupyter-server From 1.12.0 (inc) to 2.17.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in jupyter-server versions 1.12.0 through 2.17.0 and involves bypassing CORS origin validation when the `allow_origin_pat` configuration is used.

The issue stems from the use of the `re.match()` function to validate the `Origin` header, which only checks the start of the string. This allows attacker-controlled domains like `trusted.example.com.evil.com` to bypass validation intended for `trusted.example.com`.

The vulnerability affects multiple parts of the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects.

As a result, attackers can potentially perform phishing attacks, execute arbitrary code, and gain unauthorized access to sensitive API responses.

Impact Analysis

This vulnerability can have several serious impacts:

  • Attackers may bypass CORS origin validation, allowing malicious domains to interact with your server as if they were trusted.
  • It can enable phishing attacks by misleading users or systems about the origin of requests.
  • Attackers might execute arbitrary code on the server, potentially compromising system integrity.
  • Unauthorized access to sensitive API responses could lead to data leakage or exposure of confidential information.
Compliance Impact

The vulnerability allows attackers to bypass CORS origin validation, potentially leading to unauthorized access to sensitive API responses, phishing attacks, and arbitrary code execution.

Such unauthorized access and potential data breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6657. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart