CVE-2026-40934: Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart

May 5, 2026 (updated May 8, 2026)

A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes.

The cookie secret used to sign authentication cookies is stored in a permanent file (~/.local/share/jupyter/runtime/jupyter_cookie_secret) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets.

References

github.com/advisories/GHSA-5mrq-x3x5-8v8f
github.com/jupyter-server/jupyter_server
github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f
nvd.nist.gov/vuln/detail/CVE-2026-40934

Code Behaviors & Features

Detect and mitigate CVE-2026-40934 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →