CVE-2026-33709: JupyterHub has an Open Redirect Vulnerability

April 3, 2026 (updated April 27, 2026)

An open redirect vulnerability in JupyterHub <=5.4.3 allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub’s check to prevent this.

References

github.com/advisories/GHSA-3vff-hjqv-m7h8
github.com/jupyterhub/jupyterhub
github.com/jupyterhub/jupyterhub/releases/tag/5.4.4
github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8
nvd.nist.gov/vuln/detail/CVE-2026-33709

Code Behaviors & Features

Detect and mitigate CVE-2026-33709 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →