AI Threat Alert
JupyterHub deployments on 5.4.3 or earlier are vulnerable to a link-crafting attack that redirects authenticated users to attacker-controlled sites after login, enabling credential harvesting and phishing against your data science and ML engineering teams. Patch to 5.4.4 immediately; if you cannot patch, add a Location-header allowlist in your reverse proxy. Risk is elevated because AI/ML teams often have privileged access to training data, model artifacts, and cloud ML infrastructure.
What is the risk?
Medium severity by CVSS, but operationally higher in AI/ML environments. JupyterHub is the standard multi-user notebook platform for data science teams, frequently exposed to internal networks or the internet. Exploitation is trivial (URL crafting, no auth required) and relies only on user click. The deceptive post-login redirect increases success rate compared to naive phishing since users trust the JupyterHub login page they just authenticated against. Blast radius depends on what ML engineers have access to: cloud credentials, model registries, training datasets, and internal APIs are common.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| jupyterhub | pip | <= 5.4.3 | 5.4.4 |
Do you use jupyterhub? You're affected.
Severity & Risk
What should I do?
5 steps-
PATCH
Upgrade JupyterHub to 5.4.4 (fix is available, straightforward upgrade).
-
WORKAROUND if patching is delayed: Add a Location-header filter in your reverse proxy (nginx: add_header X-Accel-Redirect validation; Apache: mod_headers; Traefik: middleware stripprefix or custom headers plugin) to block redirects to external domains.
-
DETECTION
Review access logs for login requests with
next=parameters pointing to external domains — pattern:/hub/login?next=http[s]://[^your-domain]. -
AWARENESS
Alert ML/data science teams not to click JupyterHub links from email or chat without verifying the domain.
-
NETWORK
If JupyterHub is internet-facing without business need, restrict to VPN or internal network.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-33709?
JupyterHub deployments on 5.4.3 or earlier are vulnerable to a link-crafting attack that redirects authenticated users to attacker-controlled sites after login, enabling credential harvesting and phishing against your data science and ML engineering teams. Patch to 5.4.4 immediately; if you cannot patch, add a Location-header allowlist in your reverse proxy. Risk is elevated because AI/ML teams often have privileged access to training data, model artifacts, and cloud ML infrastructure.
Is CVE-2026-33709 actively exploited?
No confirmed active exploitation of CVE-2026-33709 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-33709?
1. PATCH: Upgrade JupyterHub to 5.4.4 (fix is available, straightforward upgrade). 2. WORKAROUND if patching is delayed: Add a Location-header filter in your reverse proxy (nginx: add_header X-Accel-Redirect validation; Apache: mod_headers; Traefik: middleware stripprefix or custom headers plugin) to block redirects to external domains. 3. DETECTION: Review access logs for login requests with `next=` parameters pointing to external domains — pattern: `/hub/login?next=http[s]://[^your-domain]`. 4. AWARENESS: Alert ML/data science teams not to click JupyterHub links from email or chat without verifying the domain. 5. NETWORK: If JupyterHub is internet-facing without business need, restrict to VPN or internal network.
What systems are affected by CVE-2026-33709?
This vulnerability affects the following AI/ML architecture patterns: ML development environments, Training pipelines, Collaborative notebook platforms, Model experimentation infrastructure.
What is the CVSS score for CVE-2026-33709?
No CVSS score has been assigned yet.
Technical Details
NVD Description
## Affected Version JupyterHub <= 5.4.3 ## Impact An open redirect vulnerability in JupyterHub <=5.4.3 allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. ## Patches Upgrade to JupyterHub 5.4.4 ## Workarounds A deployment can apply filters on the Location header in a reverse proxy such as nginx/apache/traefik.
Exploitation Scenario
An adversary targeting an ML engineering team sends a Slack message or email with a link: `https://jupyter.company.com/hub/login?next=https://attacker.com/harvest`. The user, seeing a familiar JupyterHub URL, clicks it, authenticates normally on the real login page, and is silently redirected to a cloned internal portal or credential-harvesting page. The attacker collects credentials for cloud provider consoles, MLflow/Weights&Biases, or internal data platforms. In a more targeted scenario, the attacker uses this access to exfiltrate model weights, poison training datasets, or pivot to production ML serving infrastructure.
Weaknesses (CWE)
References
Timeline
Related Vulnerabilities
CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Auth Bypass GHSA-vvpj-8cmc-gx39 10.0 picklescan: security flaw enables exploitation
Same attack type: Auth Bypass CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Auth Bypass CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Auth Bypass CVE-2026-26030 10.0 semantic-kernel: Code Injection enables RCE
Same attack type: Auth Bypass