CVE-2026-40934 — MEDIUM (CVSS 6.8) AI Security Vulnerability

Q: What is CVE-2026-40934?

Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart

Q: Is CVE-2026-40934 actively exploited?

No confirmed active exploitation of CVE-2026-40934 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-40934?

Update to patched version: jupyter-server 2.18.0.

Q: What is the CVSS score for CVE-2026-40934?

CVE-2026-40934 has a CVSS v3.1 base score of 6.8 (MEDIUM).

## Summary A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes. The cookie secret used to sign authentication cookies is stored in a permanent file (`~/.local/share/jupyter/runtime/jupyter_cookie_secret`) that is never...

Full CISO analysis pending enrichment.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
jupyter-server	pip	<= 2.17.0	`2.18.0`
13.1K OpenSSF 4.8 1.9K dependents Pushed 5d ago 100% patched ~0d to patch Full package profile →

Do you use jupyter-server? You're affected.

Severity & Risk

CVSS 3.1

6.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

N/A

Attack Surface

AV Network

AC High

PR Low

UI None

S Unchanged

C High

I High

A None

Recommended Action

Patch available

Update jupyter-server to version 2.18.0

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-40934?

Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart

Is CVE-2026-40934 actively exploited?

No confirmed active exploitation of CVE-2026-40934 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40934?

Update to patched version: jupyter-server 2.18.0.

What is the CVSS score for CVE-2026-40934?

CVE-2026-40934 has a CVSS v3.1 base score of 6.8 (MEDIUM).

Technical Details

NVD Description

## Summary A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes. The cookie secret used to sign authentication cookies is stored in a permanent file (`~/.local/share/jupyter/runtime/jupyter_cookie_secret`) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets. ## PoC - Start a Jupyter server with password authentication: `jupyter server password`, `jupyter server` - Log in with the password and capture the authentication cookie (e.g., just login with a browser). - Change the password to revoke access: `jupyter server password` - Restart the server - Use the old stolen cookie => remains valid and provides full authenticated access. ## Impact - All jupyter-server deployments using password authentication where security incidents may occur - Multi-user systems where one user's compromised session should be revocable by administrators - Shared or public-facing Jupyter servers where credential rotation is a security requirement - Any deployment where password changes are expected to revoke existing sessions ## Patches Jupyter Server 2.18+ ## Workaround ```bash rm ~/.local/share/jupyter/runtime/jupyter_cookie_secret # Then restart the server ```