CVE-2026-42266 PUBLISHED

jupyterlab: Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request.

Assigner: GitHub_M
Reserved: 26.04.2026 Published: 13.05.2026 Updated: 14.05.2026

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	jupyterlab
Product	jupyterlab
Versions	Version >= 4.0.0, < 4.5.7 is affected

References

https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4

Problem Types

CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE
CWE-602: Client-Side Enforcement of Server-Side Security CWE