PT-2026-37256 · Pypi · Jupyterlab
Published
2026-05-05
·
Updated
2026-05-05
·
CVE-2026-42266
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
The allow-list of extensions that can be installed from PyPI Extension Manager (
allowed extensions uris) is not correctly enforced by JupyterLab prior to 4.5.X. The PyPI Extension Manager was not contained to packages listed on the default PyPI index.This has security implications for deployments that:
- have allow-listed specific extensions with aim to prevent users from installing packages
- have the kernel and terminals disabled or delegated to remote hosts (thus no access to install packages in the single-user server environment)
- have multi-tenant deployments that is not configured for untrusted users (as per documented on JupyterHub https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html)
- have the (default) PyPI Extension Manger enabled
Impact
An authenticated attacker - such as a student in a shared JupyterHub environment or a user in a multi-tenant JupyterLab deployment - can escalate their privileges. This might allow for data exfiltration, lateral movement within the network, and persistent compromise of the server infrastructure.
Patches
JupyterLab
v4.5.7 contains the patch.Users of applications that depend on JupyterLab, such as Notebook v7+, should update
jupyterlab package too.Workarounds
Switch to read-only extension manager by adding the following command line option:
--LabApp.extension manager=readonlyor the following traitlet:
c.LabApp.extension manager = 'readonly'You can confirm that the read-only manager is in use from GUI:
Note: configuration of a PyPI proxy with allow-listed packages is not sufficient to protect from this vulnerability.
Resources
Fix
Argument Injection
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jupyterlab