Description
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.
Published: 2026-01-08
Score: 4.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized interaction with the Bokeh server enabling data exposure or manipulation via a hijacked WebSocket connection
Action: Apply patch
AI Analysis

Impact

Bokeh WebSocket Hijacking: Versions 3.8.1 and earlier contain flawed origin validation. An attacker can register a sub‑domain that matches the allow‑list and lure users to that site. The malicious page then opens a WebSocket to the Bokeh server. Because the Origin header is incorrectly accepted, the server permits the connection and handshakes, giving the attacker the same privileges as the victim, allowing data retrieval or manipulation of visualizations. This flaw behaves as a malicious use of the server’s interface rather than a classic code‑execution vector.

Affected Systems

Vendor: Bokeh bokeh. Product: the Bokeh interactive visualization library for Python. Affected releases include all versions up to and including 3.8.1. The issue is resolved in 3.8.2 and later releases.

Risk and Exploitability

Severity is rated 4.5 on CVSS v3.1, confirming a moderate overall risk. EPSS shows less than 1% probability of exploitation, indicating that while the vulnerability exists, it is not frequently targeted. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to host a malicious website that matches the server’s origin allow‑list and persuade an authenticated user to visit it. Once the victim browses that page, a WebSocket handshake is performed that bypasses the server’s filter, enabling unauthorized use of the server. No direct code‑execution capability is disclosed; the impact is primarily unauthorized data access or manipulation.

Generated by OpenCVE AI on April 18, 2026 at 07:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Bokeh to version 3.8.2 or newer to correct the origin validation logic.
  • If an upgrade is not immediately possible, eliminate the origin allow‑list or restrict it to exact hostnames without sub‑domains, and disable WebSocket support if it is not required.
  • Verify that the origin check enforces strict equality rather than prefix matching, and ensure that only authenticated sessions can access sensitive data.

Generated by OpenCVE AI on April 18, 2026 at 07:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-793v-589g-574v Bokeh server applications have Incomplete Origin Validation in WebSockets
History

Mon, 09 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Bokeh
Bokeh bokeh
CPEs cpe:2.3:a:bokeh:bokeh:*:*:*:*:*:python:*:*
Vendors & Products Bokeh
Bokeh bokeh

Fri, 23 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Thu, 08 Jan 2026 01:30:00 +0000

Type Values Removed Values Added
Description Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.
Title Bokeh server applications have Incomplete Origin Validation in WebSockets
Weaknesses CWE-1385
References
Metrics cvssV4_0

{'score': 4.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Bokeh Bokeh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-23T15:09:19.266Z

Reserved: 2026-01-05T17:24:36.928Z

Link: CVE-2026-21883

cve-icon Vulnrichment

Updated: 2026-01-23T15:09:19.266Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T02:15:53.950

Modified: 2026-03-09T14:00:25.800

Link: CVE-2026-21883

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-08T01:20:53Z

Links: CVE-2026-21883 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses