CVE-2026-44180: Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids Bypass

June 3, 2026 (updated June 23, 2026)

Jupyter Enterprise Gateway has a prohibited UID and GID feature that by default prevents launching kernels with UID or GID 0 (root). This can be bypassed. It is possible to launch kernels with a prohibited UID and/or GID by using a specially crafted KERNEL_UID or KERNEL_GID value.

The feature is described in the documentation:

References

github.com/advisories/GHSA-chq7-94j8-cj28
github.com/jupyter-server/enterprise_gateway/releases/tag/v3.3.0
github.com/jupyter-server/enterprise_gateway/security/advisories/GHSA-chq7-94j8-cj28
nvd.nist.gov/vuln/detail/CVE-2026-44180

Code Behaviors & Features

Detect and mitigate CVE-2026-44180 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →