Skip to content
Threat Feed
high advisory

OAuthenticator Authentication Bypass Vulnerability (CVE-2026-33175)

OAuthenticator versions prior to 17.4.0 contain an authentication bypass vulnerability (CVE-2026-33175) that allows an attacker with an unverified email address on an Auth0 tenant to log in to JupyterHub when email is used as the username claim, potentially leading to account takeover.

OAuthenticator is a software package that enables the integration of OAuth2 identity providers with JupyterHub. A critical authentication bypass vulnerability, identified as CVE-2026-33175, affects OAuthenticator versions prior to 17.4.0. This flaw permits an attacker with an unverified email address on an Auth0 tenant to successfully authenticate and log in to a JupyterHub instance. The vulnerability arises when email is used as the username_claim, granting attackers control over their username and potentially enabling account takeover. Organizations using affected versions of OAuthenticator in conjunction with Auth0 are at risk. The vulnerability was patched in version 17.4.0.

Attack Chain

  1. Attacker gains access to an Auth0 tenant and creates an account.
  2. The attacker does not verify the email address associated with the Auth0 account.
  3. JupyterHub is configured to use OAuthenticator for authentication, with email specified as the username_claim.
  4. The attacker attempts to log in to JupyterHub using the unverified Auth0 account.
  5. Due to the vulnerability in OAuthenticator versions prior to 17.4.0, the authentication bypass occurs, allowing the attacker to successfully log in.
  6. The attacker gains unauthorized access to the JupyterHub environment.
  7. Attacker leverages the compromised account to perform malicious activities, such as accessing sensitive data or modifying Jupyter notebooks.

Impact

Successful exploitation of CVE-2026-33175 allows unauthorized access to JupyterHub instances. This can lead to the compromise of sensitive data, modification of Jupyter notebooks, and potential disruption of services. The vulnerability impacts organizations that use OAuthenticator with Auth0 and rely on email as the username claim. The number of affected organizations is currently unknown.

Recommendation

  • Upgrade OAuthenticator to version 17.4.0 or later to patch CVE-2026-33175.
  • Review JupyterHub configurations to ensure that email is not used as the username_claim if possible.
  • Implement multi-factor authentication (MFA) for JupyterHub accounts to mitigate the risk of account takeover.
  • Monitor logs for suspicious login attempts from Auth0 accounts with unverified email addresses. Deploy the provided Sigma rule targeting process creation after successful authentication to detect suspicious activity.

Detection coverage 2

Detect JupyterHub Process Creation After Successful Auth0 Authentication

high

Detects suspicious process creation events on a JupyterHub server shortly after a successful authentication event from Auth0, which may indicate exploitation of CVE-2026-33175.

sigma tactics: credential_access techniques: T1190, T1555 sources: process_creation, linux

Detect Account Takeover via Auth0 Unverified Email on JupyterHub

medium

Detects potential account takeover attempts via Auth0 accounts with unverified email addresses on JupyterHub instances.

sigma tactics: credential_access techniques: T1555 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →