CVE-2026-6657: Jupyter Server CORS Origin Validation Bypass Vulnerability
A flaw in Jupyter Server allows attackers to bypass its cross-origin request (CORS) validation by exploiting how the software validates the `Origin` header. When administrators configure allowed origins using the `allow_origin_pat` setting, the validation logic uses a partial string match rather than a complete one. This means an attacker can craft a domain like `trusted.example.com.evil.com` that will pass validation meant only for `trusted.example.com`. The vulnerability affects versions 1.12.0 through 2.17.0 and impacts CORS headers, WebSocket connections, referer checking, and login redirects, potentially enabling phishing, code execution, and unauthorized access to APIs.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-346
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-30
NVD description (verbatim)
A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. This allows attacker-controlled domains such as `trusted.example.com.evil.com` to pass validation against patterns intended to match `trusted.example.com`. The vulnerability affects multiple locations in the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects, potentially enabling phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from the use of Python's `re.match()` function for validating the `Origin` header against the `allow_origin_pat` configuration. The `re.match()` function matches at the beginning of a string but does not require the pattern to match the entire value, allowing suffix-based bypasses. An attacker can submit an Origin header containing a trusted domain as a prefix followed by additional subdomain levels under attacker control (e.g., `trusted.example.com.evil.com`). This bypass propagates across multiple security-critical code paths: CORS header validation, WebSocket origin checks, referer header validation, and login redirect validation. The root cause is insufficient pattern anchoring—the patterns are not bounded with end-of-string anchors (e.g., `$` in regex), permitting substring exploitation. Affected versions range from 1.12.0 through 2.17.0.
Business impact
This vulnerability enables attackers to circumvent the origin validation controls that organizations rely on to prevent cross-origin attacks. Successful exploitation can lead to phishing attacks against Jupyter Server users, unauthorized access to sensitive API responses, potential remote code execution within the Jupyter environment, and session hijacking via WebSocket manipulation. For organizations using Jupyter Server to host shared computational environments or notebooks containing sensitive data, the business impact includes data theft, intellectual property loss, unauthorized code execution, and reputational damage. The vulnerability is particularly critical in multi-tenant or shared-access scenarios where origin validation provides a key security boundary.
Affected systems
Jupyter Server versions 1.12.0 through 2.17.0 are vulnerable. Organizations running Jupyter Server in any configuration—whether as a standalone service, within a JupyterHub deployment, or integrated into a larger data science platform—are affected if they rely on the `allow_origin_pat` configuration for CORS security. The vulnerability affects all platforms (Linux, macOS, Windows) on which Jupyter Server operates.
Exploitability
Exploitation requires moderate complexity and no elevated privileges. An attacker must craft a malicious web page or application that sends requests with a carefully constructed Origin header to a vulnerable Jupyter Server. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects network accessibility, low attack complexity, and no privilege requirements, but indicates user interaction is necessary—the targeted user must visit the attacker's page or be socially engineered to interact with malicious content. No special knowledge of the target's exact `allow_origin_pat` configuration is required; attackers can probe with various domain patterns. Public proof-of-concept demonstrations or weaponized exploits may accelerate real-world attack deployment.
Remediation
Administrators must upgrade Jupyter Server to a patched version that properly anchors origin validation patterns. Verify the latest patch version against the official Jupyter Server release notes and advisory. As a temporary mitigation, review and tighten `allow_origin_pat` configurations to be as restrictive as possible, ideally using exact domain matches rather than overly broad patterns. Disable CORS entirely if cross-origin access is not required for your use case. Monitor authentication logs and WebSocket connections for suspicious Origin headers that do not match expected legitimate sources.
Patch guidance
Apply the latest patched version of Jupyter Server released after the vulnerability disclosure. Verify the specific patch version from the official Jupyter project advisory. The fix involves replacing `re.match()` with a properly anchored pattern check (typically using `re.fullmatch()` or appending `$` anchors) across all affected code paths. Organizations should test the patched version in a non-production environment before rolling out organization-wide to ensure compatibility with their Jupyter deployments and any custom extensions or configurations.
Detection guidance
Monitor HTTP/HTTPS logs and WebSocket access logs for Origin headers that contain a known trusted domain as a substring but include additional unexpected subdomains or domain components (e.g., requests with Origin: trusted.example.com.attacker.com). Inspect CORS preflight requests (OPTIONS method) for suspicious patterns. Set up alerting on failed or unexpected origin validation events if your Jupyter Server instance logs such events. Intrusion detection systems can be tuned to flag requests with Origin headers that appear to be attempting domain confusion or header injection. Review logs for successful cross-origin API calls from unexpected origins, particularly those accessing sensitive endpoints or triggering code execution.
Why prioritize this
This vulnerability merits immediate attention due to its high CVSS score (8.8), broad attack surface spanning multiple security boundaries, and the direct compromise of a key security control (origin validation). The requirement for user interaction slightly reduces urgency compared to wormable network vulnerabilities, but phishing and social engineering are well-established attack vectors. Jupyter Server environments often contain or have access to sensitive computational data, intellectual property, or research. The vulnerability affects a widely used tool in data science and research communities.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects: network-based attack vector with no privilege escalation required, low attack complexity, high impact on confidentiality (unauthorized data access), high impact on integrity (unauthorized modification or code execution), and high impact on availability (potential service disruption). User interaction is required, which prevents a critical score, but the ease of social engineering and the broad applicability of the bypass make this a serious threat. The vulnerability directly undermines a critical security boundary in multi-tenant environments.
Frequently asked questions
Do I need an existing account on the Jupyter Server to exploit this vulnerability?
No. The vulnerability in origin validation allows attackers to bypass CORS checks without authentication. However, depending on what endpoints are exposed and the specific configuration, some functionality may require authentication. The vulnerability primarily enables attackers to initiate requests that appear to come from a trusted origin, bypassing the first-line defense. Subsequent access to sensitive endpoints may still require valid credentials, but the origin bypass enables new attack vectors.
How can I tell if my Jupyter Server configuration is vulnerable?
Check your Jupyter Server version against the affected range (1.12.0 through 2.17.0) and verify whether you have `allow_origin_pat` configured in your settings. If you are using default configuration without custom CORS settings, review your jupyter_server_config.py or environment variables for any `allow_origin_pat` settings. The vulnerability only manifests if this configuration is in use; servers not relying on pattern-based origin validation may have different security postures.
Can this vulnerability affect Jupyter Notebook (the standalone application)?
This vulnerability is specific to Jupyter Server, which is the backend service component. Jupyter Notebook versions prior to version 7 used a different architecture. However, Jupyter Notebook 7 and later are built on Jupyter Server, so they are affected by this vulnerability if they include vulnerable Server versions. Verify your specific Jupyter Notebook or JupyterHub version to determine if it includes a vulnerable Jupyter Server dependency.
What is the relationship between this vulnerability and WebSocket connections?
Jupyter Server uses WebSocket connections for real-time communication between the frontend and kernel. The vulnerability affects origin validation for WebSocket handshakes as well as standard HTTP CORS checks. This means an attacker could establish a WebSocket connection that appears to originate from a trusted domain, potentially enabling session hijacking, unauthorized kernel execution, or injection of malicious code into the notebook environment.
This analysis is provided for informational purposes to assist security professionals in understanding and remediating CVE-2026-6657. The vulnerability details, affected versions, and CVSS score are based on official disclosures and advisories. Organizations are responsible for verifying patch availability and compatibility with their specific deployments before applying updates. No warranty is provided regarding the completeness or accuracy of mitigation strategies described. Security teams should consult official Jupyter Project advisories and conduct their own risk assessments based on their environment and threat model. This document does not constitute security advice tailored to any specific organization or system. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-44698HIGHHome Assistant Companion App Token Theft Vulnerability
- CVE-2026-47265HIGHAIOHTTP Cookie Leak on Cross-Origin Redirects (CVSS 7.5)
- CVE-2026-10010MEDIUMChrome Android Site Isolation Bypass
- CVE-2026-10937MEDIUMChrome Same-Origin Policy Bypass in Password Handling
- CVE-2026-10996MEDIUMChrome Same-Origin Policy Bypass in Web Workers
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11032MEDIUMChrome Password Manager Cross-Origin Data Leak
- CVE-2026-34460MEDIUMNamelessMC OAuth State Validation Flaw Enables Session Hijacking