Description
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0.
Published: 2026-04-03
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass allowing account takeover via unverified email claims
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises when an attacker possesses an unverified email address on an Auth0 tenant. Because OAuthAuthenticator accepts the email as the username claim before verification, the attacker can supply that address and authenticate to JupyterHub without proving ownership. This bypass allows the attacker to acquire a JupyterHub account, configure it as desired, and potentially impersonate a legitimate user, thereby achieving account takeover.

Affected Systems

The issue affects the JupyterHub OAuthenticator plugin, specifically all releases prior to version 17.4.0. Any deployment that integrates Auth0 as an OAuth provider and uses the email claim for username identification is susceptible. Updating to the patched release eliminates the vulnerability.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is categorized as high risk. Although an EPSS score is not available, the nature of the bypass makes exploitation straightforward for attackers who have control over an Auth0 tenant. The vulnerability is not yet listed in the CISA KEV catalog. Due to the direct authentication pathway, an attacker can potentially gain full control of a JupyterHub instance with minimal effort, reinforcing the need for immediate remediation.

Generated by OpenCVE AI on April 4, 2026 at 01:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OAuthenticator plugin to version 17.4.0 or later.
  • Verify that the OAuth configuration does not permit unverified email claims as the username.
  • Audit the Auth0 tenant settings to ensure all email addresses are verified before accepting login requests.
  • Monitor authentication logs for unusual logins from previously unverified addresses.

Generated by OpenCVE AI on April 4, 2026 at 01:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rrvg-cxh4-qhrv Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
History

Wed, 15 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Jupyter
Jupyter oauthenticator
CPEs cpe:2.3:a:jupyter:oauthenticator:*:*:*:*:*:*:*:*
Vendors & Products Jupyter
Jupyter oauthenticator

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Jupyterhub
Jupyterhub oauthenticator
Vendors & Products Jupyterhub
Jupyterhub oauthenticator

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0.
Title OAuthenticator: Authentication Bypass in Auth0OAuthenticator via Unverified Email Claims
Weaknesses CWE-287
CWE-290
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Jupyter Oauthenticator
Jupyterhub Oauthenticator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:01:12.600Z

Reserved: 2026-03-17T22:16:36.719Z

Link: CVE-2026-33175

cve-icon Vulnrichment

Updated: 2026-04-07T15:48:34.428Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:26.483

Modified: 2026-04-15T18:42:03.173

Link: CVE-2026-33175

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:21:55Z

Weaknesses