Description
JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to version 5.4.4, an open redirect vulnerability in JupyterHub allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. This issue has been patched in version 5.4.4.
Published: 2026-04-03
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect leading to external site bypassing login
Action: Apply Patch
AI Analysis

Impact

JupyterHub versions prior to 5.4.4 contain an open redirect flaw that enables an attacker to craft URLs that, after a user logs in, forward them to an arbitrary external site. By exploiting CWE-601, a malicious actor can deliver phishing content or malicious payloads once the user has authenticated, potentially compromising credentials or other sensitive data. The flaw does not grant direct code execution but can be used to subvert user trust and facilitate further attacks.

Affected Systems

The issue affects the JupyterHub application supplied by the community. Any instance running a version older than 5.4.4 is susceptible, as the patch was introduced in that release. No other vendors or product lines are listed as affected.

Risk and Exploitability

The vulnerability has a CVSS score of 5.1, indicating moderate potential impact. Exploit likelihood is unquantified (EPSS not available), and the flaw is not listed in CISA’s KEV catalog. An attacker can exploit the flaw by sending a user a carefully constructed link that, once clicked, redirects the authenticated session to a malicious domain. Such an exploit requires user interaction but does not require privileged access on the target system.

Generated by OpenCVE AI on April 4, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JupyterHub to version 5.4.4 or later

Generated by OpenCVE AI on April 4, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3vff-hjqv-m7h8 JupyterHub has an Open Redirect Vulnerability
History

Wed, 22 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Jupyter
Jupyter jupyterhub
CPEs cpe:2.3:a:jupyter:jupyterhub:*:*:*:*:*:*:*:*
Vendors & Products Jupyter
Jupyter jupyterhub
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Jupyterhub
Jupyterhub jupyterhub
Vendors & Products Jupyterhub
Jupyterhub jupyterhub

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to version 5.4.4, an open redirect vulnerability in JupyterHub allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. This issue has been patched in version 5.4.4.
Title JupyterHub has an Open Redirect Vulnerability
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Jupyter Jupyterhub
Jupyterhub Jupyterhub
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T17:33:47.412Z

Reserved: 2026-03-23T17:06:05.747Z

Link: CVE-2026-33709

cve-icon Vulnrichment

Updated: 2026-04-06T17:33:43.265Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:26.657

Modified: 2026-04-22T15:59:59.570

Link: CVE-2026-33709

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:21:53Z

Weaknesses