Vulnerability Details CVE-2026-42266
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.9%
CVSS Severity
CVSS v3 Score 8.8
References
- https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4
- https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html
- https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations
Products affected by CVE-2026-42266
-
cpe:2.3:a:jupyter:jupyterlab:4.0.0
-
cpe:2.3:a:jupyter:jupyterlab:4.2.1
-
cpe:2.3:a:jupyter:jupyterlab:4.2.2
-
cpe:2.3:a:jupyter:jupyterlab:4.2.3
-
cpe:2.3:a:jupyter:jupyterlab:4.2.4
-
cpe:2.3:a:jupyter:jupyterlab:4.2.5
-
cpe:2.3:a:jupyter:jupyterlab:4.2.6
-
cpe:2.3:a:jupyter:jupyterlab:4.2.7
-
cpe:2.3:a:jupyter:jupyterlab:4.3.0
-
cpe:2.3:a:jupyter:jupyterlab:4.3.1
-
cpe:2.3:a:jupyter:jupyterlab:4.3.2
-
cpe:2.3:a:jupyter:jupyterlab:4.3.3
-
cpe:2.3:a:jupyter:jupyterlab:4.3.4
-
cpe:2.3:a:jupyter:jupyterlab:4.3.5
-
cpe:2.3:a:jupyter:jupyterlab:4.3.6
-
cpe:2.3:a:jupyter:jupyterlab:4.3.7
-
cpe:2.3:a:jupyter:jupyterlab:4.3.8
-
cpe:2.3:a:jupyter:jupyterlab:4.4.0
-
cpe:2.3:a:jupyter:jupyterlab:4.4.1
-
cpe:2.3:a:jupyter:jupyterlab:4.4.2
-
cpe:2.3:a:jupyter:jupyterlab:4.4.3
-
cpe:2.3:a:jupyter:jupyterlab:4.4.4
-
cpe:2.3:a:jupyter:jupyterlab:4.4.5
-
cpe:2.3:a:jupyter:jupyterlab:4.4.6
-
cpe:2.3:a:jupyter:jupyterlab:4.4.7
-
cpe:2.3:a:jupyter:jupyterlab:4.4.8
-
cpe:2.3:a:jupyter:jupyterlab:4.4.9
-
cpe:2.3:a:jupyter:jupyterlab:4.5.0
-
cpe:2.3:a:jupyter:jupyterlab:4.5.1
-
cpe:2.3:a:jupyter:jupyterlab:4.5.2
-
cpe:2.3:a:jupyter:jupyterlab:4.5.3
-
cpe:2.3:a:jupyter:jupyterlab:4.5.4
-
cpe:2.3:a:jupyter:jupyterlab:4.5.5
-
cpe:2.3:a:jupyter:jupyterlab:4.5.6