Oliver-Sanders

**Name of the Vulnerable Software and Affected Versions** JupyterHub versions prior to 4.1.6 and 5.1.0 **Description** The issue allows a user granted the `admin:users` scope to escalate their own privileges by making themselves a full admin user. This scope is already extremely privileged and only granted to trusted users. In effect, `admin:users` is equivalent to `admin=True`, which is not intended. The impact is relatively small, and the change only prevents escalation to the built-in JupyterHub admin role with unrestricted permissions. It does not prevent users with `groups` permissions from granting themselves or other users permissions via group membership, which is intentional. **Recommendations** To resolve the issue, update to version 4.1.6 or 5.1.0, as these versions fix the issue. As a temporary workaround, consider restricting the use of the `admin:users` scope to minimize the risk of exploitation. Restrict access to the `admin=True` equivalent permissions to prevent unintended privilege escalation.