### Impact The FiftyOne App/API server (`fiftyone/server/app.py`) and the `/media` route (`fiftyone/server/routes/media.py`) unconditionally set a permissive CORS header (`Access-Control-Allow-Origin: *`) on their responses. Because the embedded App server runs locally and is unauthenticated, this...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Jupyter Notebook | pip | < 1.17.0 | 1.17.0 |
Do you use Jupyter Notebook? You're affected.
How severe is it?
What is the attack surface?
What should I do?
Patch available
Update Jupyter Notebook to version 1.17.0
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-53656?
### Impact The FiftyOne App/API server (`fiftyone/server/app.py`) and the `/media` route (`fiftyone/server/routes/media.py`) unconditionally set a permissive CORS header (`Access-Control-Allow-Origin: *`) on their responses. Because the embedded App server runs locally and is unauthenticated, this allows **any website a user visits to make cross-origin requests to that user's running FiftyOne server and read the responses**. Combined with the unauthenticated `/media` endpoint — which serves files from the local filesystem by path — the wildcard CORS policy turns a local-only file read into a **remotely exploitable, drive-by data exfiltration** vulnerability. A malicious web page can silently issue requests such as `http://localhost:5151/media?filepath=/etc/passwd` and read arbitrary files accessible to the server process (SSH keys, cloud credentials, `.env` files, dataset media, etc.), then exfiltrate them to an attacker-controlled endpoint. The victim only needs to have a FiftyOne server running locally and visit a malicious page — no clicks or other interaction are required. Browsers that have shipped Private Network Access / local-network-access protections (e.g. Chromium 142+) mitigate this for some users, but Safari and Firefox do not yet, so the attack remains viable in common configurations. **Who is impacted:** any user running FiftyOne (the open-source, embedded App server) locally while also browsing the web. **Not affected:** media stored in cloud buckets, which is served via signed URLs on a separate origin. ### Patches Fixed in **FiftyOne 1.17.0**. The hard-coded `Access-Control-Allow-Origin: *` has been removed and the server now responds **same-origin only by default**, which covers local desktop usage and the supported notebook integrations (each served through a same-origin proxy or iframe). Cross-origin access is now opt-in via a new `allowed_origins` config option (environment variable `FIFTYONE_ALLOWED_ORIGINS`), an explicit comma-separated list of trusted origins, e.g.: ```shell export FIFTYONE_ALLOWED_ORIGINS='https://app.example.com,http://localhost:3000' ``` The literal value `*` restores the legacy wildcard behavior for users who explicitly require it and emits a warning. **Users should upgrade to FiftyOne 1.17.0 or later.** ### Workarounds In affected versions there is no configuration flag to disable the wildcard CORS header without upgrading. Until you can upgrade: - Do not run the FiftyOne App server while browsing untrusted websites. - Keep the App server bound to `localhost` (the default) and avoid exposing it on a network interface. - Use a browser that enforces Private Network Access protections. ### Resources - OWASP A01:2025 – Broken Access Control: https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/
Is CVE-2026-53656 actively exploited?
No confirmed active exploitation of CVE-2026-53656 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-53656?
Update to patched version: Jupyter Notebook 1.17.0.
What is the CVSS score for CVE-2026-53656?
CVE-2026-53656 has a CVSS v3.1 base score of 6.3 (MEDIUM).
What are the technical details?
Original Advisory
### Impact The FiftyOne App/API server (`fiftyone/server/app.py`) and the `/media` route (`fiftyone/server/routes/media.py`) unconditionally set a permissive CORS header (`Access-Control-Allow-Origin: *`) on their responses. Because the embedded App server runs locally and is unauthenticated, this allows **any website a user visits to make cross-origin requests to that user's running FiftyOne server and read the responses**. Combined with the unauthenticated `/media` endpoint — which serves files from the local filesystem by path — the wildcard CORS policy turns a local-only file read into a **remotely exploitable, drive-by data exfiltration** vulnerability. A malicious web page can silently issue requests such as `http://localhost:5151/media?filepath=/etc/passwd` and read arbitrary files accessible to the server process (SSH keys, cloud credentials, `.env` files, dataset media, etc.), then exfiltrate them to an attacker-controlled endpoint. The victim only needs to have a FiftyOne server running locally and visit a malicious page — no clicks or other interaction are required. Browsers that have shipped Private Network Access / local-network-access protections (e.g. Chromium 142+) mitigate this for some users, but Safari and Firefox do not yet, so the attack remains viable in common configurations. **Who is impacted:** any user running FiftyOne (the open-source, embedded App server) locally while also browsing the web. **Not affected:** media stored in cloud buckets, which is served via signed URLs on a separate origin. ### Patches Fixed in **FiftyOne 1.17.0**. The hard-coded `Access-Control-Allow-Origin: *` has been removed and the server now responds **same-origin only by default**, which covers local desktop usage and the supported notebook integrations (each served through a same-origin proxy or iframe). Cross-origin access is now opt-in via a new `allowed_origins` config option (environment variable `FIFTYONE_ALLOWED_ORIGINS`), an explicit comma-separated list of trusted origins, e.g.: ```shell export FIFTYONE_ALLOWED_ORIGINS='https://app.example.com,http://localhost:3000' ``` The literal value `*` restores the legacy wildcard behavior for users who explicitly require it and emits a warning. **Users should upgrade to FiftyOne 1.17.0 or later.** ### Workarounds In affected versions there is no configuration flag to disable the wildcard CORS header without upgrading. Until you can upgrade: - Do not run the FiftyOne App server while browsing untrusted websites. - Keep the App server bound to `localhost` (the default) and avoid exposing it on a network interface. - Use a browser that enforces Private Network Access protections. ### Resources - OWASP A01:2025 – Broken Access Control: https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/
Weaknesses (CWE)
CWE-346 Origin Validation Error
Primary
CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains
Primary
CWE-346 — Origin Validation Error: The product does not properly verify that the source of data or communication is valid.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44727 9.0 jupyter-server: stored XSS yields kernel RCE
Same package: notebook CVE-2026-52798 8.9 Gogs: Stored XSS via .ipynb Markdown re-render bypass
Same package: notebook CVE-2026-42557 8.8 JupyterLab: one-click RCE via notebook HTML cell output
Same package: notebook CVE-2026-42266 8.8 JupyterLab: Extension allow-list bypass enables privesc
Same package: notebook CVE-2026-5422 8.1 jupyter-server: path traversal exposes sibling dir files
Same package: notebook