CVE-2026-33175: Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
(updated )
An authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover.
References
- github.com/advisories/GHSA-rrvg-cxh4-qhrv
- github.com/jupyterhub/oauthenticator
- github.com/jupyterhub/oauthenticator/commit/f0c7002dc36e41efae0f674033cf7888a21d96f9
- github.com/jupyterhub/oauthenticator/releases/tag/17.4.0
- github.com/jupyterhub/oauthenticator/security/advisories/GHSA-rrvg-cxh4-qhrv
- nvd.nist.gov/vuln/detail/CVE-2026-33175
- support.auth0.com/center/s/article/Enforce-Email-Verification-With-Sending-Email-After-Each-Denied-Access
Code Behaviors & Features
Detect and mitigate CVE-2026-33175 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →