VIR Vulnerability Intelligence Relay

CVE-2026-6657

medium
Published 2026-06-03 · Modified 2026-06-03
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v4 NEW
not yet in upstream
VIR risk
6.1

Description

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. This allows attacker-controlled domains such as `trusted.example.com.evil.com` to pass validation against patterns intended to match `trusted.example.com`. The vulnerability affects multiple locations in the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects, potentially enabling phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses.

Predictions

Exploit likelihood
71%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-6657 NameCVE-2026-6657 DescriptionA vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allow ... SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus…

CVE-2026-6657

NameCVE-2026-6657
DescriptionA vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allow ...
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jupyter-server (PTS)bullseye1.2.2-1vulnerable
bookworm1.23.3-1vulnerable
trixie2.15.0-1vulnerable
forky, sid2.17.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jupyter-serversource(unstable)(unfixed)

Notes

https://huntr.com/bounties/18f642db-3569-43b3-b58d-ff97be4b09d7

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://huntr.com/bounties/18f642db-3569-43b3-b58d-ff97be4b09d7

OS impact
debian Debian Affected 5 releases
VersionStatusFixed in
trixie Affected
sid Affected
forky Affected
bullseye Affected
bookworm Affected

References

CWEs

CWE-346

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.