2427763 – (CVE-2026-21883) CVE-2026-21883 Bokeh: Bokeh: Information disclosure and unauthorized actions via flawed WebSocket origin validation

Bug 2427763 (CVE-2026-21883) - CVE-2026-21883 Bokeh: Bokeh: Information disclosure and unauthorized actions via flawed WebSocket origin validation

Summary: CVE-2026-21883 Bokeh: Bokeh: Information disclosure and unauthorized actions ...

Keywords:
Status:	NEW
Alias:	CVE-2026-21883
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-08 02:01 UTC by OSIDB Bzimport
Modified:	2026-01-08 07:01 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-08 02:01:48 UTC

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.

Note You need to log in before you can comment on or make changes to this bug.