CVE-2026-40934

Name of the Vulnerable Software and Affected Versions Jupyter Server versions prior to 2.18.0

Description The secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter cookie secret and is not rotated when a user changes their password. Consequently, after a password reset and server restart, any previously issued authentication cookie remains cryptographically valid. An attacker who has captured a session cookie retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions.

Recommendations Update to version 2.18.0 or later. As a temporary workaround, delete the file ~/.local/share/jupyter/runtime/jupyter cookie secret and restart the server.