Bug 2484420 (CVE-2026-6657)

Summary: CVE-2026-6657 jupyter-server: jupyter-server: Arbitrary code execution due to CORS origin validation bypass
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jkoehler, lphiri, rjohnson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in jupyter-server. A remote attacker can bypass Cross-Origin Resource Sharing (CORS) origin validation when the `allow_origin_pat` configuration is used. This vulnerability allows malicious domains to pass validation against patterns intended for trusted domains. This could lead to arbitrary code execution, unauthorized access to sensitive API responses, and phishing attacks.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2485373, 2485374    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-03 16:01:48 UTC
A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. This allows attacker-controlled domains such as `trusted.example.com.evil.com` to pass validation against patterns intended to match `trusted.example.com`. The vulnerability affects multiple locations in the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects, potentially enabling phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses.