HIGHCVE-2026-42266Published Modified CNA GitHub_M
CVE-2026-42266: JupyterLab has an Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request.
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
Affected packages
- jupyterlab / jupyterlab>= 4.0.0, < 4.5.7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4
- https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7
- https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html
- https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations