CVE-2026-33709: JupyterHub: open redirect enables post-login phishing

GHSA-3vff-hjqv-m7h8 MEDIUM
Published April 3, 2026
CISO Take

JupyterHub deployments on 5.4.3 or earlier are vulnerable to a link-crafting attack that redirects authenticated users to attacker-controlled sites after login, enabling credential harvesting and phishing against your data science and ML engineering teams. Patch to 5.4.4 immediately; if you cannot patch, add a Location-header allowlist in your reverse proxy. Risk is elevated because AI/ML teams often have privileged access to training data, model artifacts, and cloud ML infrastructure.

What is the risk?

Medium severity by CVSS, but operationally higher in AI/ML environments. JupyterHub is the standard multi-user notebook platform for data science teams, frequently exposed to internal networks or the internet. Exploitation is trivial (URL crafting, no auth required) and relies only on user click. The deceptive post-login redirect increases success rate compared to naive phishing since users trust the JupyterHub login page they just authenticated against. Blast radius depends on what ML engineers have access to: cloud credentials, model registries, training datasets, and internal APIs are common.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Jupyter pip <= 5.4.3 5.4.4
13.2K OpenSSF 5.8 1.9K dependents Pushed 6d ago 59% patched ~24d to patch Full package profile →

Do you use Jupyter? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.2%
chance of exploitation in 30 days
Higher than 13% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps
  1. PATCH

    Upgrade JupyterHub to 5.4.4 (fix is available, straightforward upgrade).

  2. WORKAROUND if patching is delayed: Add a Location-header filter in your reverse proxy (nginx: add_header X-Accel-Redirect validation; Apache: mod_headers; Traefik: middleware stripprefix or custom headers plugin) to block redirects to external domains.

  3. DETECTION

    Review access logs for login requests with next= parameters pointing to external domains — pattern: /hub/login?next=http[s]://[^your-domain].

  4. AWARENESS

    Alert ML/data science teams not to click JupyterHub links from email or chat without verifying the domain.

  5. NETWORK

    If JupyterHub is internet-facing without business need, restrict to VPN or internal network.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity of high-risk AI systems
ISO 42001
A.9.2 - Information security in AI system development
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain treatment of identified AI risks

Frequently Asked Questions

What is CVE-2026-33709?

JupyterHub deployments on 5.4.3 or earlier are vulnerable to a link-crafting attack that redirects authenticated users to attacker-controlled sites after login, enabling credential harvesting and phishing against your data science and ML engineering teams. Patch to 5.4.4 immediately; if you cannot patch, add a Location-header allowlist in your reverse proxy. Risk is elevated because AI/ML teams often have privileged access to training data, model artifacts, and cloud ML infrastructure.

Is CVE-2026-33709 actively exploited?

No confirmed active exploitation of CVE-2026-33709 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33709?

1. PATCH: Upgrade JupyterHub to 5.4.4 (fix is available, straightforward upgrade). 2. WORKAROUND if patching is delayed: Add a Location-header filter in your reverse proxy (nginx: add_header X-Accel-Redirect validation; Apache: mod_headers; Traefik: middleware stripprefix or custom headers plugin) to block redirects to external domains. 3. DETECTION: Review access logs for login requests with `next=` parameters pointing to external domains — pattern: `/hub/login?next=http[s]://[^your-domain]`. 4. AWARENESS: Alert ML/data science teams not to click JupyterHub links from email or chat without verifying the domain. 5. NETWORK: If JupyterHub is internet-facing without business need, restrict to VPN or internal network.

What systems are affected by CVE-2026-33709?

This vulnerability affects the following AI/ML architecture patterns: ML development environments, Training pipelines, Collaborative notebook platforms, Model experimentation infrastructure.

What is the CVSS score for CVE-2026-33709?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

ML development environmentsTraining pipelinesCollaborative notebook platformsModel experimentation infrastructure

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link
AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0052 Phishing

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.9.2
NIST AI RMF: MANAGE 2.2

What are the technical details?

Original Advisory

## Affected Version JupyterHub <= 5.4.3 ## Impact An open redirect vulnerability in JupyterHub <=5.4.3 allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. ## Patches Upgrade to JupyterHub 5.4.4 ## Workarounds A deployment can apply filters on the Location header in a reverse proxy such as nginx/apache/traefik.

Exploitation Scenario

An adversary targeting an ML engineering team sends a Slack message or email with a link: `https://jupyter.company.com/hub/login?next=https://attacker.com/harvest`. The user, seeing a familiar JupyterHub URL, clicks it, authenticates normally on the real login page, and is silently redirected to a cloned internal portal or credential-harvesting page. The attacker collects credentials for cloud provider consoles, MLflow/Weights&Biases, or internal data platforms. In a more targeted scenario, the attacker uses this access to exfiltrate model weights, poison training datasets, or pivot to production ML serving infrastructure.

Weaknesses (CWE)

CWE-601 — URL Redirection to Untrusted Site ('Open Redirect'): The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Source: MITRE CWE corpus.

Timeline

Published
April 3, 2026
Last Modified
April 3, 2026
First Seen
April 4, 2026

Related Vulnerabilities