JupyterHub deployments on 5.4.3 or earlier are vulnerable to a link-crafting attack that redirects authenticated users to attacker-controlled sites after login, enabling credential harvesting and phishing against your data science and ML engineering teams. Patch to 5.4.4 immediately; if you cannot patch, add a Location-header allowlist in your reverse proxy. Risk is elevated because AI/ML teams often have privileged access to training data, model artifacts, and cloud ML infrastructure.
What is the risk?
Medium severity by CVSS, but operationally higher in AI/ML environments. JupyterHub is the standard multi-user notebook platform for data science teams, frequently exposed to internal networks or the internet. Exploitation is trivial (URL crafting, no auth required) and relies only on user click. The deceptive post-login redirect increases success rate compared to naive phishing since users trust the JupyterHub login page they just authenticated against. Blast radius depends on what ML engineers have access to: cloud credentials, model registries, training datasets, and internal APIs are common.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Jupyter | pip | <= 5.4.3 | 5.4.4 |
Do you use Jupyter? You're affected.
How severe is it?
What should I do?
5 steps-
PATCH
Upgrade JupyterHub to 5.4.4 (fix is available, straightforward upgrade).
-
WORKAROUND if patching is delayed: Add a Location-header filter in your reverse proxy (nginx: add_header X-Accel-Redirect validation; Apache: mod_headers; Traefik: middleware stripprefix or custom headers plugin) to block redirects to external domains.
-
DETECTION
Review access logs for login requests with
next=parameters pointing to external domains — pattern:/hub/login?next=http[s]://[^your-domain]. -
AWARENESS
Alert ML/data science teams not to click JupyterHub links from email or chat without verifying the domain.
-
NETWORK
If JupyterHub is internet-facing without business need, restrict to VPN or internal network.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-33709?
JupyterHub deployments on 5.4.3 or earlier are vulnerable to a link-crafting attack that redirects authenticated users to attacker-controlled sites after login, enabling credential harvesting and phishing against your data science and ML engineering teams. Patch to 5.4.4 immediately; if you cannot patch, add a Location-header allowlist in your reverse proxy. Risk is elevated because AI/ML teams often have privileged access to training data, model artifacts, and cloud ML infrastructure.
Is CVE-2026-33709 actively exploited?
No confirmed active exploitation of CVE-2026-33709 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-33709?
1. PATCH: Upgrade JupyterHub to 5.4.4 (fix is available, straightforward upgrade). 2. WORKAROUND if patching is delayed: Add a Location-header filter in your reverse proxy (nginx: add_header X-Accel-Redirect validation; Apache: mod_headers; Traefik: middleware stripprefix or custom headers plugin) to block redirects to external domains. 3. DETECTION: Review access logs for login requests with `next=` parameters pointing to external domains — pattern: `/hub/login?next=http[s]://[^your-domain]`. 4. AWARENESS: Alert ML/data science teams not to click JupyterHub links from email or chat without verifying the domain. 5. NETWORK: If JupyterHub is internet-facing without business need, restrict to VPN or internal network.
What systems are affected by CVE-2026-33709?
This vulnerability affects the following AI/ML architecture patterns: ML development environments, Training pipelines, Collaborative notebook platforms, Model experimentation infrastructure.
What is the CVSS score for CVE-2026-33709?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0011.003 Malicious Link AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0052 Phishing Compliance Controls Affected
What are the technical details?
Original Advisory
## Affected Version JupyterHub <= 5.4.3 ## Impact An open redirect vulnerability in JupyterHub <=5.4.3 allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. ## Patches Upgrade to JupyterHub 5.4.4 ## Workarounds A deployment can apply filters on the Location header in a reverse proxy such as nginx/apache/traefik.
Exploitation Scenario
An adversary targeting an ML engineering team sends a Slack message or email with a link: `https://jupyter.company.com/hub/login?next=https://attacker.com/harvest`. The user, seeing a familiar JupyterHub URL, clicks it, authenticates normally on the real login page, and is silently redirected to a cloned internal portal or credential-harvesting page. The attacker collects credentials for cloud provider consoles, MLflow/Weights&Biases, or internal data platforms. In a more targeted scenario, the attacker uses this access to exfiltrate model weights, poison training datasets, or pivot to production ML serving infrastructure.
Weaknesses (CWE)
CWE-601 — URL Redirection to Untrusted Site ('Open Redirect'): The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2023-25574 10.0 JupyterHub LTI13: JWT forgery enables full auth bypass
Same package: jupyter CVE-2026-44180 9.8 Jupyter Enterprise Gateway: root privilege bypass in Kubernetes
Same package: jupyter CVE-2026-23537 9.1 Feast: unauth file write to RCE via /save-document
Same package: jupyter CVE-2026-44727 9.0 jupyter-server: stored XSS yields kernel RCE
Same package: jupyter CVE-2026-42557 8.8 JupyterLab: one-click RCE via notebook HTML cell output
Same package: jupyter