2466912 – (CVE-2026-40110) CVE-2026-40110 jupyter-server: Jupyter Server: Cross-Origin Resource Sharing (CORS) bypass via improper Origin header validation

Bug 2466912 (CVE-2026-40110) - CVE-2026-40110 jupyter-server: Jupyter Server: Cross-Origin Resource Sharing (CORS) bypass via improper Origin header validation

Summary: CVE-2026-40110 jupyter-server: Jupyter Server: Cross-Origin Resource Sharing ...

Keywords:
Status:	NEW
Alias:	CVE-2026-40110
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-05 22:01 UTC by OSIDB Bzimport
Modified:	2026-05-18 14:14 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-05 22:01:32 UTC

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0.

Note You need to log in before you can comment on or make changes to this bug.