CVE-2026-42266

Name of the Vulnerable Software and Affected Versions JupyterLab versions prior to 4.5.7

Description The PyPI Extension Manager does not correctly enforce the allowed extensions uris allow-list, allowing the installation of packages not listed on the default PyPI index. This issue affects deployments that use allow-lists to restrict package installation, have disabled kernels and terminals, or utilize multi-tenant configurations not set up for untrusted users. An authenticated attacker can exploit this to escalate privileges, potentially leading to data exfiltration, lateral movement within the network, and persistent compromise of the server infrastructure.

Recommendations Update to version 4.5.7. As a temporary workaround, switch to a read-only extension manager by using the command line option --LabApp.extension manager=readonly or the traitlet c.LabApp.extension manager = 'readonly'.