CVE-2026-40171: Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS

April 30, 2026 (updated May 8, 2026)

A stored Cross-Site Scripting (XSS) vulnerability in Jupyter Notebook allows attackers to steal authentication tokens from users who open malicious notebook files and interact with elements that the attacker can make look indistinguishable from legitimate controls (single click interaction).

The vulnerability enables complete account takeover through the Jupyter REST API, allowing the attacker to:

Read all files
Modify/create files
Access running kernels and execute arbitrary code
Create terminals for shell access

References

github.com/advisories/GHSA-rch3-82jr-f9w9
github.com/jupyter/notebook
github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9
jupyterlab.readthedocs.io/en/latest/user/commands.html
nvd.nist.gov/vuln/detail/CVE-2026-40171

Code Behaviors & Features

Detect and mitigate CVE-2026-40171 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →