CVE-2026-42266

EUVD-2026-29995
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
Argument Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
Affected Products (NVD)
VendorProductVersion
jupyterjupyterlab
4.0.0 ≤
𝑥
< 4.5.7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4
https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html
https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations