CVE-2026-33175

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OAuthenticator versions prior to 17.4.0

Description OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. An authentication bypass issue exists that allows an attacker with an unverified email address on an Auth0 tenant to log in to JupyterHub. When email is used as the username claim, this gives users control over their username and the possibility of account takeover. This impacts any Auth0 tenant leveraging the Auth0OAuthenticator mapping the email claim to the JupyterHub username.

Recommendations Upgrade OAuthenticator to version 17.4.0. As a workaround, check the email verified field in an Authenticator.post auth hook function. As a workaround, do not use email as the username claim. As a workaround, enforce email verification in Auth0.

Fix

Improper Authentication

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-290

Related Identifiers

CLEANSTART-2026-AN27706

CVE-2026-33175

GHSA-RRVG-CXH4-QHRV

Affected Products

Auth0Oauthenticator

Jupyterhub

Authenticator

CVE-2026-33175

Weakness Enumeration

Related Identifiers

Affected Products

References · 52