CVE-2026-40110: Jupyter Server has a CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat` (from huntr)
(updated )
Jupyter Server uses re.match() to validate the Origin header against the allow_origin_pat configuration.
Since re.match() only anchors at the start of the string, an attacker who controls a domain like http://trusted.example.com.evil.com/ passes validation against a pattern intended to match only trusted.example.com.
References
- github.com/advisories/GHSA-24qx-w28j-9m6p
- github.com/jupyter-server/jupyter_server
- github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea
- github.com/jupyter-server/jupyter_server/commit/49b34392feaa97735b3b777e3baf8f22f2a14ed8
- github.com/jupyter-server/jupyter_server/pull/603
- github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p
- nvd.nist.gov/vuln/detail/CVE-2026-40110
Code Behaviors & Features
Detect and mitigate CVE-2026-40110 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →