{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33175/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","jupyterhub","oauthenticator","cve-2026-33175"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOAuthenticator is a software package that enables the integration of OAuth2 identity providers with JupyterHub. A critical authentication bypass vulnerability, identified as CVE-2026-33175, affects OAuthenticator versions prior to 17.4.0. This flaw permits an attacker with an unverified email address on an Auth0 tenant to successfully authenticate and log in to a JupyterHub instance. The vulnerability arises when email is used as the \u003ccode\u003eusername_claim\u003c/code\u003e, granting attackers control over their username and potentially enabling account takeover. Organizations using affected versions of OAuthenticator in conjunction with Auth0 are at risk. The vulnerability was patched in version 17.4.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to an Auth0 tenant and creates an account.\u003c/li\u003e\n\u003cli\u003eThe attacker does not verify the email address associated with the Auth0 account.\u003c/li\u003e\n\u003cli\u003eJupyterHub is configured to use OAuthenticator for authentication, with email specified as the \u003ccode\u003eusername_claim\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to log in to JupyterHub using the unverified Auth0 account.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability in OAuthenticator versions prior to 17.4.0, the authentication bypass occurs, allowing the attacker to successfully log in.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the JupyterHub environment.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the compromised account to perform malicious activities, such as accessing sensitive data or modifying Jupyter notebooks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33175 allows unauthorized access to JupyterHub instances. This can lead to the compromise of sensitive data, modification of Jupyter notebooks, and potential disruption of services. The vulnerability impacts organizations that use OAuthenticator with Auth0 and rely on email as the username claim. The number of affected organizations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OAuthenticator to version 17.4.0 or later to patch CVE-2026-33175.\u003c/li\u003e\n\u003cli\u003eReview JupyterHub configurations to ensure that email is not used as the \u003ccode\u003eusername_claim\u003c/code\u003e if possible.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for JupyterHub accounts to mitigate the risk of account takeover.\u003c/li\u003e\n\u003cli\u003eMonitor logs for suspicious login attempts from Auth0 accounts with unverified email addresses. Deploy the provided Sigma rule targeting process creation after successful authentication to detect suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T22:16:26Z","date_published":"2026-04-03T22:16:26Z","id":"/briefs/2026-04-oauthenticator-auth-bypass/","summary":"OAuthenticator versions prior to 17.4.0 contain an authentication bypass vulnerability (CVE-2026-33175) that allows an attacker with an unverified email address on an Auth0 tenant to log in to JupyterHub when email is used as the username claim, potentially leading to account takeover.","title":"OAuthenticator Authentication Bypass Vulnerability (CVE-2026-33175)","url":"https://feed.craftedsignal.io/briefs/2026-04-oauthenticator-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33175","version":"https://jsonfeed.org/version/1.1"}