jupyter-server: CORS bypass enables arbitrary code execution — AWAITING NVD (CVE-2026-6657)

CISO Take

A regex anchoring flaw in jupyter-server 1.12.0–2.17.0 allows an attacker to bypass CORS origin validation by registering a domain such as trusted.example.com.evil.com that passes re.match() checks intended to restrict access to trusted.example.com only. The vulnerability affects CORS headers, WebSocket connections, referer validation, and login redirects simultaneously — giving a cross-origin attacker full access to the Jupyter kernel API, including the ability to execute arbitrary Python code, read notebook contents, and exfiltrate training data or cloud credentials stored in environment variables. Jupyter is the backbone of most AI/ML development workflows, making exposure broad across data science teams handling proprietary models and sensitive datasets, and JupyterHub multi-user deployments further compound the blast radius. No public exploit or confirmed active exploitation has been reported, but the attack requires only luring a user with an active Jupyter session to a browser tab — a moderate-sophistication bar. Patch immediately to a fixed version beyond 2.17.0; if patching is not feasible, eliminate allow_origin_pat usage in favour of exact origin matching and restrict Jupyter access strictly to localhost or VPN.

Sources: NVD ATLAS huntr.com

What is the risk?

HIGH risk for AI/ML environments where Jupyter is reachable beyond localhost. The exploitation bar is low — an attacker needs only to register a domain matching the regex flaw and deliver a single malicious link. Blast radius is severe: full kernel access means arbitrary code execution in the Python environment hosting models, pipelines, and sensitive data. Environments with auto-mounted cloud credentials (AWS, GCP, Azure) face full credential exposure. JupyterHub multi-user deployments amplify impact by exposing a shared server surface. The absence of a CVSS score reflects novelty, not low severity.

Attack Kill Chain

Domain Acquisition

Attacker registers a domain that structurally extends a trusted origin (e.g., trusted.example.com.evil.com) to satisfy the re.match() regex check without a trailing anchor.

AML.T0008.002

Drive-by Delivery

Victim with an active Jupyter session is lured to the attacker-controlled domain via phishing or malicious link; browser loads attacker JavaScript.

AML.T0078

CORS Bypass and API Access

Malicious JavaScript sends cross-origin requests to the Jupyter REST API; the origin header passes the flawed re.match() validation, granting full unauthenticated API access.

AML.T0049

Code Execution and Exfiltration

Attacker spawns a Jupyter kernel via API and executes arbitrary Python to read notebooks, training datasets, model artifacts, and environment credentials, then POSTs all data to an attacker-controlled collection endpoint.

AML.T0037

Domain Acquisition

Attacker registers a domain that structurally extends a trusted origin (e.g., trusted.example.com.evil.com) to satisfy the re.match() regex check without a trailing anchor.

AML.T0008.002

Drive-by Delivery

Victim with an active Jupyter session is lured to the attacker-controlled domain via phishing or malicious link; browser loads attacker JavaScript.

AML.T0078

CORS Bypass and API Access

Malicious JavaScript sends cross-origin requests to the Jupyter REST API; the origin header passes the flawed re.match() validation, granting full unauthenticated API access.

AML.T0049

Code Execution and Exfiltration

Attacker spawns a Jupyter kernel via API and executes arbitrary Python to read notebooks, training datasets, model artifacts, and environment credentials, then POSTs all data to an attacker-controlled collection endpoint.

AML.T0037

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch: Upgrade jupyter-server beyond 2.17.0 where the re.match() anchoring flaw is corrected.
Workaround: Replace allow_origin_pat regex patterns with exact allow_origin string matching. If regex is unavoidable, ensure every pattern terminates with a $ anchor to enforce full string matching (e.g., ^trusted\.example\.com$ instead of ^trusted\.example\.com).
Network isolation: Restrict Jupyter to localhost (127.0.0.1) or zero-trust/VPN access — never expose to the public internet or untrusted networks.
Detection: Audit server access logs for cross-origin API requests from unexpected domains; monitor kernel execution logs for anomalous commands initiated via API.
Audit: Inventory all allow_origin_pat usages across development, staging, JupyterHub, and notebook CI deployments.

Classification

Auth Bypass Code Execution Framework AML.T0008.002 - Domains AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.3 - Information security in AI system design

NIST AI RMF

MANAGE-2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-6657?

A regex anchoring flaw in jupyter-server 1.12.0–2.17.0 allows an attacker to bypass CORS origin validation by registering a domain such as trusted.example.com.evil.com that passes re.match() checks intended to restrict access to trusted.example.com only. The vulnerability affects CORS headers, WebSocket connections, referer validation, and login redirects simultaneously — giving a cross-origin attacker full access to the Jupyter kernel API, including the ability to execute arbitrary Python code, read notebook contents, and exfiltrate training data or cloud credentials stored in environment variables. Jupyter is the backbone of most AI/ML development workflows, making exposure broad across data science teams handling proprietary models and sensitive datasets, and JupyterHub multi-user deployments further compound the blast radius. No public exploit or confirmed active exploitation has been reported, but the attack requires only luring a user with an active Jupyter session to a browser tab — a moderate-sophistication bar. Patch immediately to a fixed version beyond 2.17.0; if patching is not feasible, eliminate allow_origin_pat usage in favour of exact origin matching and restrict Jupyter access strictly to localhost or VPN.

Is CVE-2026-6657 actively exploited?

No confirmed active exploitation of CVE-2026-6657 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-6657?

1. Patch: Upgrade jupyter-server beyond 2.17.0 where the re.match() anchoring flaw is corrected. 2. Workaround: Replace allow_origin_pat regex patterns with exact allow_origin string matching. If regex is unavoidable, ensure every pattern terminates with a $ anchor to enforce full string matching (e.g., ^trusted\.example\.com$ instead of ^trusted\.example\.com). 3. Network isolation: Restrict Jupyter to localhost (127.0.0.1) or zero-trust/VPN access — never expose to the public internet or untrusted networks. 4. Detection: Audit server access logs for cross-origin API requests from unexpected domains; monitor kernel execution logs for anomalous commands initiated via API. 5. Audit: Inventory all allow_origin_pat usages across development, staging, JupyterHub, and notebook CI deployments.

What systems are affected by CVE-2026-6657?

This vulnerability affects the following AI/ML architecture patterns: ML development environments, Training pipelines, Data science workbenches, JupyterHub multi-user deployments, AI/ML CI/CD pipelines running notebooks.

What is the CVSS score for CVE-2026-6657?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

ML development environmentsTraining pipelinesData science workbenchesJupyterHub multi-user deploymentsAI/ML CI/CD pipelines running notebooks

MITRE ATLAS Techniques

AML.T0008.002 Domains

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0078 Drive-by Compromise

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.3

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM06

Technical Details

Original Advisory

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. This allows attacker-controlled domains such as `trusted.example.com.evil.com` to pass validation against patterns intended to match `trusted.example.com`. The vulnerability affects multiple locations in the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects, potentially enabling phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses.

Exploitation Scenario

A threat actor targeting an AI development team registers the domain notebooks.company.com.attacker.io. They host a page at that domain containing JavaScript that issues fetch() requests to the victim's internal Jupyter server (e.g., http://localhost:8888 or an internal JupyterHub URL). When a data scientist with an active Jupyter session opens the attacker's link — delivered via phishing email or a poisoned documentation site — the browser sends cross-origin requests that pass the vulnerable re.match() check against the pattern ^notebooks\.company\.com. The malicious script then calls the Jupyter REST API to spawn a kernel, execute Python reading /etc/environment and ~/.aws/credentials, dump contents of all open notebooks, and POST the exfiltrated data to the attacker's collection endpoint. The entire attack chain completes within seconds of the victim loading the page, with no user interaction beyond the initial click.