CVE-2026-33175 PUBLISHED

OAuthenticator: Authentication Bypass in Auth0OAuthenticator via Unverified Email Claims

Assigner: GitHub_M
Reserved: 17.03.2026 Published: 03.04.2026 Updated: 03.04.2026

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	jupyterhub
Product	oauthenticator
Versions	Version < 17.4.0 is affected

References

Problem Types

CWE-287: Improper Authentication CWE
CWE-290: Authentication Bypass by Spoofing CWE