CVE-2026-33175
published 2026-04-03CVE-2026-33175: OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.44%
35.0th percentile
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jupyter | oauthenticator | < 17.4.0 | 17.4.0 |
| jupyterhub | oauthenticator | < 17.4.0 | 17.4.0 |
| jupyterhub | oauthenticator | >= 0 < 17.4.0 | 17.4.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
ghsa·2026-04-03
CVE-2026-33175 [HIGH] CWE-287 Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
### Summary
An authentication bypass vulnerability in `oauthenticator` allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When `email` is used as the usrname_claim, this gives users control over their username and the possibility of account takeover.
### Impact
This is an **Authentication Bypass Vulnerability**. Any Auth0 tenant leveraging the `Auth0OAuthenticator` mapping the `email` claim to the JupyterHub username is impacted. By default, Auth0 handles email verification as a user flag, not a hard block to authentication streams. If an attacker can register an account with the Auth0 tenant with an unverified email and knows the email of an existing user on the sys
OSV
Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
osv·2026-04-03
CVE-2026-33175 [HIGH] Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
### Summary
An authentication bypass vulnerability in `oauthenticator` allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When `email` is used as the usrname_claim, this gives users control over their username and the possibility of account takeover.
### Impact
This is an **Authentication Bypass Vulnerability**. Any Auth0 tenant leveraging the `Auth0OAuthenticator` mapping the `email` claim to the JupyterHub username is impacted. By default, Auth0 handles email verification as a user flag, not a hard block to authentication streams. If an attacker can register an account with the Auth0 tenant with an unverified email and knows the email of an existing user on the sys
No detection rules found.
No public exploits indexed.
2026-04-03
Published