Description
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.
Published: 2026-05-05
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists because Jupyter Server versions 2.17.0 and earlier use a static file to store the secret that signs authentication cookies, and this secret is never rotated when a user changes their password. Consequently, any cookie that was valid before a password reset remains cryptographically valid after the password is changed and the server is restarted. An attacker who has captured such a cookie retains full authenticated access, even though the user’s credentials have been updated, effectively bypassing the expected session revocation behavior. This is a classic example of a credential validation weakness (CWE-613).

Affected Systems

The affected product is Jupyter Server, specifically the jupyter_server component. Versions 2.17.0 and earlier are impacted; the issue was resolved in version 2.18.0.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity, and although the EPSS score is not available, the vulnerability is not listed in CISA KEV. An attacker can exploit this by acquiring a session cookie through various means such as network interception or local compromise; once the cookie is in hand, the attacker can impersonate the user even after the password has been changed. The lack of cookie rotation makes the session hijack persistent, posing a significant confidentiality and integrity risk to users and administrators.

Generated by OpenCVE AI on May 5, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jupyter Server to version 2.18.0 or later to eliminate the static cookie secret issue.
  • If an immediate patch is not feasible, disable password‑based authentication and enforce a token or multi‑factor authentication mechanism to prevent reliance on static session cookies.
  • As a temporary mitigation, clear the cookie secret file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and restart the server to force a fresh secret generation, though this may not fully address all edge cases.

Generated by OpenCVE AI on May 5, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5mrq-x3x5-8v8f Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart
History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Jupyter
Jupyter jupyter Server
Vendors & Products Jupyter
Jupyter jupyter Server

Tue, 05 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.
Title jupyter-server authentication cookies remain valid after password reset due to static cookie secret
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Jupyter Jupyter Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T12:48:21.223Z

Reserved: 2026-04-15T20:40:15.518Z

Link: CVE-2026-40934

cve-icon Vulnrichment

Updated: 2026-05-06T14:51:42.855Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T22:16:00.820

Modified: 2026-05-11T13:00:39.473

Link: CVE-2026-40934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:00:09Z

Weaknesses