CVE-2026-34052: LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)

April 3, 2026 (updated April 6, 2026)

The LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send repeated requests with unique nonces to gradually exhaust server memory, causing a denial of service.

References

github.com/advisories/GHSA-8mxq-7xr7-2fxj
github.com/jupyterhub/ltiauthenticator
github.com/jupyterhub/ltiauthenticator/releases/tag/1.6.3
github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-8mxq-7xr7-2fxj
nvd.nist.gov/vuln/detail/CVE-2026-34052

Code Behaviors & Features

Detect and mitigate CVE-2026-34052 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →