Jupyter Server Origin Header Validation Flaw <2.18.0
CVE-2026-40110 Published on May 5, 2026
jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0.
Vulnerability Analysis
CVE-2026-40110 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Types
Regular Expression without Anchors
The software uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through. When performing tasks such as validating against a set of allowed inputs (allowlist), data is examined and possibly modified to ensure that it is well-formed and adheres to a list of safe values. If the regular expression is not anchored, malicious or malformed data may be included before or after any string matching the regular expression. The type of malicious data that is allowed will depend on the context of the application and which anchors are omitted from the regular expression.
Permissive Regular Expression
The product uses a regular expression that does not sufficiently restrict the set of allowed values.
Products Associated with CVE-2026-40110
stack.watch emails you whenever new vulnerabilities are published in Red Hat Migration Toolkit Applications or Red Hat Openshift Ai. Just hit a watch button to start following.
Affected Versions
jupyter-server jupyter_server:- Version <= 2.17.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.