PatchSiren cyber security CVE debrief
CVE-2026-42266 jupyterlab CVE debrief
CVE-2026-42266 affects JupyterLab versions 4.0.0 through 4.5.6. The issue is an enforcement failure in the PyPI Extension Manager allow-list: allowed_extensions_uris is not correctly enforced, and the Extension Manager was not contained to packages listed on the default PyPI index. The issue is fixed in JupyterLab 4.5.7. Based on the published CVSS vector, this is a high-severity issue with network attackability and high impact to confidentiality, integrity, and availability.
- Vendor
- jupyterlab
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-21
Who should care
JupyterLab administrators, platform teams, and developers who enable or rely on the PyPI Extension Manager. Organizations that allow users to install JupyterLab extensions from PyPI should prioritize this advisory, especially if extension selection is meant to be restricted by allow-lists or approved indexes.
Technical summary
According to the advisory summary, JupyterLab 4.0.0 through 4.5.6 does not correctly enforce the extension allow-list used by the PyPI Extension Manager. That means the intended restriction in allowed_extensions_uris can fail, allowing the manager to consider packages beyond the default PyPI index. The cited weakness categories are CWE-88 and CWE-602, which align with argument/injection style enforcement issues and reliance on untrusted or insufficiently validated controls. The fix is present in 4.5.7.
Defensive priority
High. The CVSS vector provided by NVD is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which indicates low attack complexity, no user interaction, and high impact if exploited. Systems that permit extension installation or delegate trust decisions to the Extension Manager should be updated promptly.
Recommended defensive actions
- Upgrade JupyterLab to 4.5.7 or later.
- Review whether the PyPI Extension Manager is enabled in your deployments and disable it if it is not required.
- Verify that extension installation policies are enforced at the deployment layer, not only in the client UI.
- Audit approved extension sources and any custom allow-list or index configuration for consistency with your intended policy.
- Check installed JupyterLab extensions and remove anything that is not approved for your environment.
- Use the linked JupyterLab extension and JupyterHub web security documentation to validate your hardening approach.
Evidence notes
The vulnerability description states that JupyterLab 4.0.0 to 4.5.6 incorrectly enforces allowed_extensions_uris and that the PyPI Extension Manager was not contained to packages listed on the default PyPI index. The NVD record classifies the issue as under analysis and provides the CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H with CWE-88 and CWE-602. GitHub release 4.5.7 and the linked security advisory indicate the fix is available in 4.5.7. The JupyterLab and JupyterHub documentation links are relevant for extension manager behavior and web security guidance.
Official resources
Published in the CVE record on 2026-05-13T16:16:47.017Z and last modified on 2026-05-21T02:16:33.527Z.