CVE-2026-40110

Name of the Vulnerable Software and Affected Versions Jupyter Server versions prior to 2.18.0

Description Origin header validation uses the re.match() function to check incoming origins against the allow origin pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended for a trusted domain will also match any origin that begins with that domain followed by additional characters. This allows an attacker controlling such a domain to bypass Cross-Origin Resource Sharing (CORS) restrictions and make cross-origin requests to the Jupyter Server API from an untrusted site.

Recommendations Update to version 2.18.0. Wrap the allow origin pat value with ^ and $ to ensure a full string match.