Skip to content

chore: 🔨 Update dependency jupyterlab to v4.5.9 [SECURITY]#2107

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-jupyterlab-vulnerability
Open

chore: 🔨 Update dependency jupyterlab to v4.5.9 [SECURITY]#2107
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-jupyterlab-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
jupyterlab (changelog) 4.5.64.5.9 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS

CVE-2026-40171 / GHSA-rch3-82jr-f9w9

More information

Details

Impact

A stored Cross-Site Scripting (XSS) vulnerability in Jupyter Notebook allows attackers to steal authentication tokens from users who open malicious notebook files and interact with elements that the attacker can make look indistinguishable from legitimate controls (single click interaction).

The vulnerability enables complete account takeover through the Jupyter REST API, allowing the attacker to:

  1. Read all files
  2. Modify/create files
  3. Access running kernels and execute arbitrary code
  4. Create terminals for shell access
Patches

Jupyter Notebook 7.5.6 and JupyterLab 4.5.7 include patches for this vulnerability.

Workarounds

The help extension can be disabled via CLI:

jupyter labextension disable @​jupyter-notebook/help-extension
jupyter labextension disable @​jupyterlab/help-extension
Hardening

The patched versions include a toggle to disable the command linker functionality altogether, for example via overrides.json:

{
  "@​jupyterlab/apputils-extension:sanitizer": {
    "allowCommandLinker": false
  }
}
Resources
Acknowledgments

Reported by Daniel Teixeira - NVIDIA AI Red Team

Severity

  • CVSS Score: 8.4 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


JupyterLab has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request

CVE-2026-42266 / GHSA-37w4-hwhx-4rc4

More information

Details

The allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab prior to 4.5.7. The PyPI Extension Manager was not contained to packages listed on the default PyPI index.

This has security implications for deployments that:

  • have allow-listed specific extensions with aim to prevent users from installing packages
  • have the kernel and terminals disabled or delegated to remote hosts (thus no access to install packages in the single-user server environment)
  • have multi-tenant deployments that is not configured for untrusted users (as per documented on JupyterHub https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html)
  • have the (default) PyPI Extension Manager enabled
Impact

An authenticated attacker - such as a student in a shared JupyterHub environment or a user in a multi-tenant JupyterLab deployment - can escalate their privileges. This might allow for data exfiltration, lateral movement within the network, and persistent compromise of the server infrastructure.

Patches

JupyterLab v4.5.7 contains the patch.

Users of applications that depend on JupyterLab, such as Notebook v7+, should update jupyterlab package too.

Workarounds

Switch to read-only extension manager by adding the following command line option:

--LabApp.extension_manager=readonly

or the following traitlet:

c.LabApp.extension_manager = 'readonly'

You can confirm that the read-only manager is in use from GUI:

image

Note: configuration of a PyPI proxy with allow-listed packages is not sufficient to protect from this vulnerability.

References

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content

CVE-2026-42557 / GHSA-mqcg-5x36-vfcg

More information

Details

JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user.

Impact

An attacker who shares a notebook or a Markdown file - via email, GitHub, or a Binder link - can invoke an arbitrary command upon a single click by the victim. The button can be rendered inside the output area and be visually indistinguishable from a legitimate widget. No kernel needs to start; the HTML output is stored in the notebook file and displayed immediately on open.

Single-click impact

An attacker convincing the victim to click on a single button or link can:

  • execute arbitrary code in the available kernels,
  • delete files leading to information loss; in principle the loss could be unrecoverable, depending on server configuration and attack complexity,
  • open multiple kernels/terminals at once, or create multiple files at once, putting significant stress on the server and thus deny availability for other users when using standalone multi-tenant jupyter-server deployment, and to a lesser degree impact availability on JupyterHub deployments.

The arbitrary code execution will be immediately visible to the user; and can be halted by the timely user intervention. The deletion of files can be silent and go unnoticed for some time.

Multi-click attacks

An attacker who convinces the victim to click on multiple buttons in specific order and to grant access to clipboard (or in scenarios where the user already granted keyboard access) can obtain full access to the terminal and execute arbitrary commands in the environment with access scope that might exceed that of available kernels. Only users of Chromium-based browsers are susceptible to this expanded variant of the attack.

The execution of commands in the terminal would be immediately visible to the user.

Impact of third-party extensions

The impact described above assumes a plain JupyterLab/Notebook installation. In environments with frontend extensions that contribute additional commands the attack surface is increased by the functionality covered by these commands.

Patches

JupyterLab 4.5.7

Workarounds

No workarounds are available for end-users.

Downstream applications inheriting from JupyterFrontEnd or JupyterLab can effectively disable the CommandLinker by passing commandLinker: new CommandLinker({ commands: new CommandRegistry() }) option in the initialization options.

Hardening

The patched versions include a toggle to disable the command linker functionality altogether, for example via overrides.json:

{
  "@​jupyterlab/apputils-extension:sanitizer": {
    "allowCommandLinker": false
  }
}
Resources

Severity

  • CVSS Score: 8.6 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol

GHSA-vmhf-c436-hxj4

More information

Details

A malicious PyPI package can place a javascript: URL in its [project.urls] metadata. JupyterLab's Extension Manager renders this as the extension's home-page link without validating the protocol, so a user who clicks the extension name executes attacker-controlled JavaScript in the JupyterLab origin.

Details

One of the PyPI package's URL (jupyterlab/extensions/pypi.py) is copied straight into the homepage_url rendered by the frontend in packages/extensionmanager/src/widget.tsx#L77-L88.

best_guess_home_url = (
    homepage_url            # home_page / [project.urls] Homepage
    or data.get("project_url")
    or data.get("package_url")
    or documentation_url    # docs_url / [project.urls] Documentation
    or source_url           # [project.urls] Source Code
    or bug_tracker_url      # bugtrack_url / [project.urls] Bug Tracker
)

##### homepage_url=best_guess_home_url
{entry.homepage_url ? (
  <a href={entry.homepage_url} target="_blank" rel="noopener noreferrer" ...>
    {entry.name}
  </a>
) : ( <div>{entry.name}</div> )}
Impact

An attacker needs to publish a package to PyPI (no access to the target). When the package appears in a victim's extension manager list and the victim clicks the extension name, the payload runs in the JupyterLab origin.

Preconditions: Extension Manager enabled with the default PyPI source, the malicious package appears in the victim's list/search results.

Patches

Patched in 4.5.9, commits 4e61e07 and d5d961f

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

jupyterlab/jupyterlab (jupyterlab)

v4.5.9

Compare Source

4.5.9

(Full Changelog)

Bugs fixed
Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review.
See our definition of contributors.

(GitHub contributors page for this release)

@​arun-357 (activity) | @​Darshan808 (activity) | @​krassowski (activity) | @​MUFFANUJ (activity) | @​Yann-P (activity)

v4.5.8

Compare Source

4.5.8

(Full Changelog)

Bugs fixed
Maintenance and upkeep improvements
Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review.
See our definition of contributors.

(GitHub contributors page for this release)

@​AliMahmoudDev (activity) | @​CrafterKolyan (activity) | @​Darshan808 (activity) | @​krassowski (activity)

v4.5.7

Compare Source

4.5.7

(Full Changelog)

Security patches
Bugs fixed
Maintenance and upkeep improvements
Documentation improvements
Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review.
See our definition of contributors.

(GitHub contributors page for this release)

@​Carreau (activity) | @​filipeoliveira05 (activity) | @​flaviomartins (activity) | @​itsmejay80 (activity) | @​jtpio (activity) | @​krassowski (activity) | @​martinRenou (activity) | @​MUFFANUJ (activity) | @​utsav-develops (activity)


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from Anselmoo as a code owner April 30, 2026 19:50
@renovate renovate Bot added dependencies Pull requests that update a dependency file renovate labels Apr 30, 2026
@semanticdiff-com

Copy link
Copy Markdown

Review changes with  SemanticDiff

@sonarqubecloud

Copy link
Copy Markdown

@codecov

codecov Bot commented Apr 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.70%. Comparing base (6bed9a6) to head (7723d5e).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #2107   +/-   ##
=======================================
  Coverage   97.70%   97.70%           
=======================================
  Files          63       63           
  Lines        6246     6246           
=======================================
  Hits         6102     6102           
  Misses        144      144           
Flag Coverage Δ
unittests 97.70% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@stale

stale Bot commented Jun 6, 2026

Copy link
Copy Markdown

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale Bot added the wontfix This will not be worked on label Jun 6, 2026
@renovate renovate Bot force-pushed the renovate/pypi-jupyterlab-vulnerability branch from dc376ff to 0260236 Compare June 11, 2026 13:58
@renovate renovate Bot force-pushed the renovate/pypi-jupyterlab-vulnerability branch from 0260236 to 7723d5e Compare June 22, 2026 21:30
@renovate renovate Bot changed the title chore: 🔨 Update dependency jupyterlab to v4.5.7 [SECURITY] chore: 🔨 Update dependency jupyterlab to v4.5.9 [SECURITY] Jun 22, 2026
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file renovate root size/XS wontfix This will not be worked on

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants