Source: jupyterhub Version: 5.2.1+ds1-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for jupyterhub. CVE-2026-33709[0]: | JupyterHub is software that allows one to create a multi-user server | for Jupyter notebooks. Prior to version 5.4.4, an open redirect | vulnerability in JupyterHub allows attackers to construct links | which, when clicked, take users to the JupyterHub login page, after | which they are sent to an arbitrary attacker-controlled site outside | JupyterHub instead of a JupyterHub page, bypassing JupyterHub's | check to prevent this. This issue has been patched in version 5.4.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33709 https://www.cve.org/CVERecord?id=CVE-2026-33709 [1] https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
