Emin63

**Name of the Vulnerable Software and Affected Versions** Jupyter Server versions prior to 2.18.0 **Description** The secret used to sign authentication cookies is persisted to a static file at `~/.local/share/jupyter/runtime/jupyter cookie secret` and is not rotated when a user changes their password. Consequently, after a password reset and server restart, any previously issued authentication cookie remains cryptographically valid. An attacker who has captured a session cookie retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. **Recommendations** Update to version 2.18.0 or later. As a temporary workaround, delete the file `~/.local/share/jupyter/runtime/jupyter cookie secret` and restart the server.