CVE-2026-6657
CORS Origin Validation Bypass in Jupyter Server
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jupyter | jupyter-server | From 1.12.0 (inc) to 2.17.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in jupyter-server versions 1.12.0 through 2.17.0 and involves bypassing CORS origin validation when the `allow_origin_pat` configuration is used.
The issue stems from the use of the `re.match()` function to validate the `Origin` header, which only checks the start of the string. This allows attacker-controlled domains like `trusted.example.com.evil.com` to bypass validation intended for `trusted.example.com`.
The vulnerability affects multiple parts of the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects.
As a result, attackers can potentially perform phishing attacks, execute arbitrary code, and gain unauthorized access to sensitive API responses.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts:
- Attackers may bypass CORS origin validation, allowing malicious domains to interact with your server as if they were trusted.
- It can enable phishing attacks by misleading users or systems about the origin of requests.
- Attackers might execute arbitrary code on the server, potentially compromising system integrity.
- Unauthorized access to sensitive API responses could lead to data leakage or exposure of confidential information.