Vulnerability Description
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4
- https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html
- https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manag
FAQ
What is CVE-2026-42266?
CVE-2026-42266 is a vulnerability with a CVSS score of 8.8 (HIGH). JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed ...
How severe is CVE-2026-42266?
CVE-2026-42266 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-42266?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.