jupyterlab: Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious)...

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.

AI Analysis

Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request

Basic Information

ID CVE-2026-42266

Source GitHub_M

Published May 13, 2026 at 15:08

Affected Product

Vendor jupyterlab

Product jupyterlab

Version >= 4.0.0, < 4.5.7

Affected Versions jupyterlab jupyterlab >= 4.0.0, < 4.5.7

CWE Classification

CWE-88 CWE-602

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Project Jupyter

Product JupyterLab

Version 4.0.0-4.5.6

References

github.com /jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4

{
    "lastseen": "",
    "description": "jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.",
    "published": "2026-05-13T15:08:49.846Z",
    "modified": "2026-05-13T15:08:49.846Z",
    "type": "cve",
    "title": "jupyterlab: Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request.",
    "source": "GitHub_M",
    "references": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4",
    "id": "CVE-2026-42266",
    "bulletinFamily": "",
    "cwe": [
        "CWE-88",
        "CWE-602"
    ],
    "cvelist": null,
    "sourceData": "jupyterlab jupyterlab >= 4.0.0, < 4.5.7",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "jupyterlab",
    "version": ">= 4.0.0, < 4.5.7",
    "vendor": "jupyterlab",
    "ai_description": "Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request",
    "ai_severity": "High",
    "ai_vendor": "Project Jupyter",
    "ai_product": "JupyterLab",
    "ai_version": "4.0.0-4.5.6",
    "ai_score": 8.8
}

jupyterlab: Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request._CVE-2026-42266