CVE-2026-42266

Summary

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.

Affected Software

VendorProductVersion RangeStatus
jupyterlabjupyterlab>= 4.0.0, < 4.5.7affected

Weaknesses

  • CWE-88: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
  • CWE-602: CWE-602: Client-Side Enforcement of Server-Side Security

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

jupyterlab: JupyterLab: Arbitrary code execution due to improper enforcement of extension allow-list

Additional References

References