CVE-2026-34052 — MEDIUM (CVSS 5.9) AI Security Vulnerability

## Summary The LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send repeated requests with unique nonces to gradually exhaust server memory, causing...

Full CISO analysis pending enrichment.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
jupyterhub-ltiauthenticator	pip	<= 1.6.2	`1.6.3`

Do you use jupyterhub-ltiauthenticator? You're affected.

Severity & Risk

CVSS 3.1

5.9 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

N/A

Recommended Action

Patch available

Update jupyterhub-ltiauthenticator to version 1.6.3

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

## Summary The LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send repeated requests with unique nonces to gradually exhaust server memory, causing a denial of service. ## Patches - upgrade jupyterhub-litauthenticator to 1.6.3

Weaknesses (CWE)

CWE-401 Missing Release of Memory after Effective Lifetime Primary CWE-770 Allocation of Resources Without Limits or Throttling Primary

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published

April 3, 2026

Last Modified

April 3, 2026

First Seen

April 4, 2026