CVE-2026-40864

Name of the Vulnerable Software and Affected Versions JupyterHub versions 4.1.0 through 5.4.4

Description XSRF protection inappropriately treated requests containing the Sec-Fetch-Mode: no-cors header as same-origin requests, allowing the bypass of XSRF checks. This affects HTTP form endpoints, such as '/hub/spawn' and '/hub/accept-share', while the JSON API remains unaffected. An attacker could trigger a server spawn or, if permitted to share server access, force a user to accept a share and gain access to the attacker's server.

Recommendations Update to version 5.4.5. As a temporary mitigation, if using a reverse proxy, drop requests to JupyterHub that contain the Sec-Fetch-Mode: no-cors header.