CVE-2026-23528

Name of the Vulnerable Software and Affected Versions Dask distributed versions prior to 2026.1.0

Description When Jupyter Lab, jupyter-server-proxy, and Dask distributed are used together, a crafted URL can lead to code execution by Jupyter due to a cross-site scripting (XSS) issue in the Dask dashboard. An attacker could create a phishing URL assuming Jupyter Lab and Dask are running on localhost with default ports. Clicking this link opens an error page in the Dask Dashboard through the Jupyter Lab proxy, causing code execution by the default Jupyter Python kernel. The vulnerability occurs when a malicious URL is used to execute JavaScript in the user's browser within the Dask dashboard.

Recommendations Versions prior to 2026.1.0 should be upgraded to version 2026.1.0 or later. As a mitigation, uninstall jupyter-server-proxy and access the Dask dashboard directly via its URL. As a mitigation, ensure both Jupyter and the Dask dashboard are running on non-standard ports.