HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-44727Published Modified CNA GitHub_M

CVE-2026-44727: Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP

Jupyter Server is the backend for Jupyter web applications. Prior to 2.20, the nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy. Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a display_data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE. This vulnerability is fixed in 2.20.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in Jupyter Server affects the nbconvert HTTP handlers (NbconvertFileHandler and NbconvertPostHandler) in jupyter_server versions before 2.20. The vulnerability is reachable over the network by any low-privilege authenticated user, and requires a victim to interact with a crafted notebook; no sandbox directive in the Content-Security-Policy allows injected HTML to run under the full Jupyter origin. Successful exploitation gives an attacker access to session cookies, full /api/* authority, and the ability to execute arbitrary code in running kernels. No fix version has been published yet; HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix ships.

HarborGuard Coverage

Detection

Detection of CVE-2026-44727 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle jupyter_server. Any image containing an affected version of jupyter_server (below 2.20) is flagged automatically.

Available
Triage

Triage is available with the CVSS v4.0 score of 9.3 (Critical) surfaced alongside per-environment compliance policy weighting, so teams with stricter notebook-hosting policies see this issue elevated appropriately. Findings are routed to the inbox configured for each customer org, ensuring the right team receives the alert without manual filtering.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a fix. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for Jupyter workloads and egress filtering to limit lateral reach from a compromised kernel.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The nbconvert handlers are exposed over the network, so an attacker must be able to reach the Jupyter Server HTTP endpoint across the network to deliver the malicious notebook payload.

  • AuthenticationRequired

    A low-privilege account (any valid Jupyter login) is sufficient to submit or store a notebook containing the XSS payload; no admin rights are needed.

  • Victim interactionRequired

    A logged-in user must open or render the malicious notebook through the nbconvert handler, making this a social-engineering or shared-workspace attack where the victim is induced to view the crafted content.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, specific memory layout, or other environmental prerequisites beyond reaching the service and getting the victim to render the notebook.

Blast Radius

  • Reads session cookies tied to the Jupyter origin, allowing the attacker to hijack the victim's authenticated session.
  • Exercises full /api/* authority on behalf of the victim, including reading, creating, and deleting notebooks and files.
  • Executes arbitrary code inside running Jupyter kernels, giving the attacker a foothold on the underlying host process.
  • Propagates impact beyond the directly compromised user context to any shared infrastructure the Jupyter Server can reach (SC:H, SI:H, SA:H in the CVSS v4 vector).

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44727 is active and will flag any image in a customer registry or CI pipeline that includes jupyter_server below 2.20. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically surface a patched-image rebuild the moment version 2.20 or later is published. While waiting for an upstream fix, customers can use HarborGuard's policy engine to apply compensating controls: network-policy isolation scoped to Jupyter workloads limits who can reach the nbconvert endpoints, egress filtering on kernel pods reduces the blast radius of a compromised kernel, and feature-flag or ingress-level gating can restrict notebook rendering to trusted users. For customers with auto-remediation enabled, a rebuild plus regression run and PR against affected workloads will be triggered automatically once a fix version is available upstream.

See how HarborGuard automates this
Affected packages
  • jupyter-server / jupyter_server
    < 2.20
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References