AI Threat Alert

CVE-2026-33175: oauthenticator: auth bypass enables JupyterHub account takeover

GHSA-rrvg-cxh4-qhrv HIGH
Published April 3, 2026
CISO Take

Any JupyterHub deployment using Auth0OAuthenticator with email as the username_claim is vulnerable to full account takeover — an attacker only needs to register an unverified account on your Auth0 tenant using a target user's email address. The blast radius includes complete access to the victim's notebooks, training datasets, ML pipelines, and cloud credentials stored as environment variables. Upgrade oauthenticator to 17.4.0 immediately; if patching is delayed, enforce email verification at Auth0 or switch username_claim away from email.

What is the risk?

High severity (CVSS 8.8). Exploitation is trivial — no specialized skills required beyond an Auth0 account registration and knowledge of a target's email address (often public via LinkedIn or corporate directories). JupyterHub is pervasive in enterprise ML/data science teams and frequently stores sensitive artifacts: model weights, training data access keys, AWS/GCP/Azure credentials, and proprietary code. Multi-tenant JupyterHub deployments amplify impact significantly. Network-accessible with low complexity makes this immediately actionable for any motivated attacker.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
oauthenticator pip < 17.4.0 17.4.0

Do you use oauthenticator? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 31% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH (primary): Upgrade oauthenticator to 17.4.0 — the only complete remediation.

  2. WORKAROUND (if patching is delayed): Implement a post_auth_hook that checks userdata.get('email_verified') == True and rejects unverified accounts before session creation.

  3. ALTERNATIVE

    Change username_claim from 'email' to 'sub' (Auth0's immutable user ID) to use a non-spoofable identifier — eliminates the attack surface entirely.

  4. ENFORCE at IdP: Enable 'Enforce Email Verification' in Auth0 tenant settings to block unverified accounts at the identity provider level as a defense-in-depth measure.

  5. DETECT

    Audit JupyterHub access logs for logins from accounts where email_verified is absent or false; alert on any such authentication event.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Framework AML.T0012 AML.T0021 AML.T0035 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.1.4 - Access control for AI systems
NIST AI RMF
MS-2.5 - AI Risk Management — Security and Resilience
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-33175?

Any JupyterHub deployment using Auth0OAuthenticator with email as the username_claim is vulnerable to full account takeover — an attacker only needs to register an unverified account on your Auth0 tenant using a target user's email address. The blast radius includes complete access to the victim's notebooks, training datasets, ML pipelines, and cloud credentials stored as environment variables. Upgrade oauthenticator to 17.4.0 immediately; if patching is delayed, enforce email verification at Auth0 or switch username_claim away from email.

Is CVE-2026-33175 actively exploited?

No confirmed active exploitation of CVE-2026-33175 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33175?

1. PATCH (primary): Upgrade oauthenticator to 17.4.0 — the only complete remediation. 2. WORKAROUND (if patching is delayed): Implement a post_auth_hook that checks userdata.get('email_verified') == True and rejects unverified accounts before session creation. 3. ALTERNATIVE: Change username_claim from 'email' to 'sub' (Auth0's immutable user ID) to use a non-spoofable identifier — eliminates the attack surface entirely. 4. ENFORCE at IdP: Enable 'Enforce Email Verification' in Auth0 tenant settings to block unverified accounts at the identity provider level as a defense-in-depth measure. 5. DETECT: Audit JupyterHub access logs for logins from accounts where email_verified is absent or false; alert on any such authentication event.

What systems are affected by CVE-2026-33175?

This vulnerability affects the following AI/ML architecture patterns: JupyterHub ML workbenches, collaborative data science platforms, ML training pipelines, notebook-based AI development environments, multi-tenant data science infrastructure.

What is the CVSS score for CVE-2026-33175?

CVE-2026-33175 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.13%.

Technical Details

NVD Description

### Summary An authentication bypass vulnerability in `oauthenticator` allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When `email` is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. ### Impact This is an **Authentication Bypass Vulnerability**. Any Auth0 tenant leveraging the `Auth0OAuthenticator` mapping the `email` claim to the JupyterHub username is impacted. By default, Auth0 handles email verification as a user flag, not a hard block to authentication streams. If an attacker can register an account with the Auth0 tenant with an unverified email and knows the email of an existing user on the system, they can authenticate as that user. ### Patches - Upgrade oauthenticator to 17.4 ### Workarounds - Check `email_verified` field in an `Authenticator.post_auth_hook` function - Do not use `email` as the username claim - [Enforce email verification in auth0](https://support.auth0.com/center/s/article/Enforce-Email-Verification-With-Sending-Email-After-Each-Denied-Access)

Exploitation Scenario

An attacker targets a data scientist at a company using JupyterHub with Auth0 SSO. The attacker obtains the target's corporate email from LinkedIn, a conference talk bio, or a GitHub commit. They register a new account on the same Auth0 tenant — possible if the tenant allows self-service registration or if the attacker has any legitimate access — using the target's email without completing email verification. Auth0 allows authentication for unverified accounts by default. The attacker authenticates to JupyterHub, which maps the unverified email claim directly to the JupyterHub username without checking email_verified, granting full access to the victim's environment including notebooks with proprietary model code, mounted datasets, and stored API keys for OpenAI, AWS, or other cloud services.

Weaknesses (CWE)

CWE-287 Improper Authentication Primary CWE-290 Authentication Bypass by Spoofing Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 3, 2026
Last Modified
April 3, 2026
First Seen
April 4, 2026

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Auth Bypass
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2026-26030 10.0

semantic-kernel: Code Injection enables RCE

Same attack type: Auth Bypass
Back to Threat Feed