PatchSiren

jupyterhub CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM jupyterhub CVE published 2026-05-22

CVE-2026-40864

A cross-site request forgery (XSRF) bypass vulnerability exists in JupyterHub versions 4.1.0 through 5.4.4. The XSRF protection mechanism introduced in version 4.1.0 incorrectly classifies requests bearing the `Sec-Fetch-Mode: no-cors` header as same-origin, allowing XSRF checks to be bypassed. The JSON API is not affected; only HTTP form endpoints are impacted, specifically `/hub/spawn` and `/hub/accept- [truncated]