{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/jupyterlab/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["JupyterHub","JupyterLab (\u003c 4.5.7)","Notebook"],"_cs_severities":["high"],"_cs_tags":["jupyterhub","jupyterlab","privilege-escalation","vulnerability","extension-manager"],"_cs_type":"advisory","_cs_vendors":["Jupyter","pip"],"content_html":"\u003cp\u003eJupyterLab versions prior to 4.5.7 contain a vulnerability in the handling of the allow-list (\u003ccode\u003eallowed_extensions_uris\u003c/code\u003e) for extensions installable via the PyPI Extension Manager. This vulnerability allows an authenticated attacker to bypass the intended restrictions on extension installation, even in environments where such installations should be limited or prevented. This is particularly concerning for JupyterHub deployments aiming to restrict user capabilities for security reasons.  The vulnerability exists because the PyPI Extension Manager was not properly restricted to packages listed on the default PyPI index. This can lead to privilege escalation within the JupyterHub environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to a JupyterHub instance with a standard user account.\u003c/li\u003e\n\u003cli\u003eAttacker identifies that the JupyterHub instance has the PyPI Extension Manager enabled.\u003c/li\u003e\n\u003cli\u003eAttacker discovers that the \u003ccode\u003eallowed_extensions_uris\u003c/code\u003e list is not correctly enforced in the JupyterLab version running on the server (versions \u0026lt; 4.5.7).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a POST request to install a malicious extension from a non-allow-listed PyPI index or a local package.\u003c/li\u003e\n\u003cli\u003eJupyterLab incorrectly processes the request, bypassing the intended allow-list restrictions.\u003c/li\u003e\n\u003cli\u003eThe malicious extension is installed into the JupyterLab environment.\u003c/li\u003e\n\u003cli\u003eThe extension executes malicious code, potentially escalating the attacker\u0026rsquo;s privileges.\u003c/li\u003e\n\u003cli\u003eAttacker gains access to sensitive data, moves laterally to other systems, or establishes persistence on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an authenticated attacker to escalate privileges within the JupyterHub environment. This may lead to data exfiltration from the JupyterHub server or connected systems. Lateral movement to other systems on the network becomes possible, potentially compromising other services. A persistent compromise of the server infrastructure could also be achieved, allowing for long-term control and data access. This vulnerability impacts multi-tenant deployments and shared environments such as educational institutions where students share JupyterHub instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade JupyterLab to version 4.5.7 or later to patch the vulnerability (JupyterLab v4.5.7).\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, switch to the read-only extension manager by adding the command line option \u003ccode\u003e--LabApp.extension_manager=readonly\u003c/code\u003e or the traitlet \u003ccode\u003ec.LabApp.extension_manager = 'readonly'\u003c/code\u003e to your JupyterLab configuration.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect JupyterLab Extension Installation Attempt\u003c/code\u003e to identify unauthorized extension installation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to extension installation endpoints to identify potential exploit attempts (webserver logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T20:53:18Z","date_published":"2026-05-05T20:53:18Z","id":"/briefs/2026-05-jupyterhub-extension-bypass/","summary":"JupyterLab versions prior to 4.5.7 do not correctly enforce the allow-list of extensions that can be installed from PyPI Extension Manager, allowing authenticated attackers to escalate privileges and potentially exfiltrate data, move laterally, and persistently compromise server infrastructure.","title":"JupyterHub Extension Manager API/GUI Policy Discrepancy Allows Malicious Extension Installation","url":"https://feed.craftedsignal.io/briefs/2026-05-jupyterhub-extension-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Jupyterlab","version":"https://jsonfeed.org/version/1.1"}