CVE-2026-42266
JupyterLab has an Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request.
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Productos afectados
jupyterlab · jupyterlab¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.htmlhttps://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations