CVE-2026-40934
published 2026-05-05CVE-2026-40934: Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a…
PriorityP347medium6.8CVSS 3.1
AVNACHPRLUINSUCHIHAN
EPSS
0.31%
22.4th percentile
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jupyter-server | >= 0 < 2.18.0 | 2.18.0 |
| jupyter-server | jupyter_server | < 2.18.0 | 2.18.0 |
| jupyter | jupyter_server | < 2.18.0 | 2.18.0 |
| mta | mta-solution-server-rhel9 | — | — |
| rhoai | odh-th06-cpu-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-cpu-torch291-py312-rhel9 | — | — |
| rhoai | odh-th06-cuda130-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-cuda130-torch291-py312-rhel9 | — | — |
| rhoai | odh-th06-rocm64-torch291-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-minimal-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-minimal-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-minimal-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-trustyai-cpu-py312-rhel9 | — | — |
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv4.07.6HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart
ghsa·2026-05-05
CVE-2026-40934 [MEDIUM] CWE-613 Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart
Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart
## Summary
A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes.
The cookie secret used to sign authentication cookies is stored in a permanent file (`~/.local/share/jupyter/runtime/jupyter_cookie_secret`) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets.
## PoC
- Start a Jupyter server with password authentication: `jupyter server password`, `jupyter server`
- Log in with the password and capture the authentication cookie (e.g., just login with a browser).
- Change the password to revoke access: `jupyter server password`
- Re
Red Hat
jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret
vendor_redhat·2026-05-05·CVSS 7.6
CVE-2026-40934 [HIGH] CWE-613 jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret
jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret
A flaw was found in Jupyter Server. The secret used to sign authentication cookies is not rotated when a user changes their password, allowing previously issued authentication cookies to remain valid. A remote attacker who has captured a session cookie can retain full authenticated access to the server, even after a password reset and server restart. This vulnerability impacts deployments using password-based authentication, especially shared or public-facing servers where credential rotation is expected to revoke existing sessions.
Package: mta/mta-solution-server-rhel9 (Migration Toolkit for Applications 8) - Fix deferred
Package: rhoai/odh-th06-cpu-torch210-py312-rhel9 (Red Hat OpenShift AI (RHOAI))
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-40934 python-jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret [fedora-all]
bugzilla·2026-06-04·CVSS 7.6
CVE-2026-40934 [HIGH] CVE-2026-40934 python-jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret [fedora-all]
CVE-2026-40934 python-jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40934 python-jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret [epel-all]
bugzilla·2026-06-04·CVSS 7.6
CVE-2026-40934 [HIGH] CVE-2026-40934 python-jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret [epel-all]
CVE-2026-40934 python-jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40934 jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret
bugzilla·2026-05-05·CVSS 7.6
CVE-2026-40934 [HIGH] CVE-2026-40934 jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret
CVE-2026-40934 jupyter-server: Jupyter Server: Authentication bypass due to unrotated cookie secret
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing ser
2026-05-05
Published