CVE-2026-40864: JupyterHub has cross-origin form POSTs bypass XSRF (CWE-352)

May 5, 2026

JupyterHub’s XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, which they are not, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker’s server.

References

github.com/advisories/GHSA-m68r-v472-jgq9
github.com/jupyterhub/jupyterhub
github.com/jupyterhub/jupyterhub/security/advisories/GHSA-m68r-v472-jgq9
nvd.nist.gov/vuln/detail/CVE-2026-40864

Code Behaviors & Features

Detect and mitigate CVE-2026-40864 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →