CVE-2026-40934 Jupyter CVE debrief

Who should care

Administrators and operators of Jupyter Server deployments that use password-based authentication, especially shared, multi-user, or publicly reachable servers where password resets are expected to invalidate existing sessions.

Technical summary

According to the NVD record and the linked GitHub security advisory, Jupyter Server persisted the cookie-signing secret at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and did not rotate it when a password changed. As a result, authentication cookies signed before the reset could continue to validate after restart. The vulnerability is mapped to CWE-613 (Insufficient Session Expiration) and affects Jupyter Server versions up to, but not including, 2.18.0.

Defensive priority

High. This is a high-severity authentication/session persistence issue (CVSS 7.6) that can preserve authenticated access after credential changes. Prioritize upgrades and session-invalidating operational checks.

Recommended defensive actions

• Upgrade Jupyter Server to version 2.18.0 or later.
• Treat password changes as insufficient for session revocation until the fixed version is deployed.
• Review whether any long-lived or shared authentication cookies may still be accepted after password resets.
• For exposed or multi-user deployments, validate that operational password rotation procedures include application upgrade and session reauthentication.
• Monitor the linked vendor advisory for any additional mitigation guidance.

Evidence notes

Source evidence comes from the official NVD record for CVE-2026-40934 and the linked GitHub security advisory. The NVD record lists Jupyter Server as affected through versions earlier than 2.18.0, includes the CWE-613 mapping, and references the vendor advisory for mitigation. The CVE published timestamp used here is 2026-05-05T22:16:00.820Z, with a later record modification on 2026-05-11T13:00:39.473Z.

Official resources