Jupyter Server has a CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat` (from huntr)

GHSA-24qx-w28j-9m6p · CVE-2026-40110

Published May 5, 2026 · Modified May 8, 2026

Description

Jupyter Server uses re.match() to validate the Origin header against the allow_origin_pat configuration.

Since re.match() only anchors at the start of the string, an attacker who controls a domain like http://trusted.example.com.evil.com/ passes validation against a pattern intended to match only trusted.example.com.

Impact

<=2.17.0

Patches

057869a327c46730afede3eab0ca2d2e3e74acea, 49b34392feaa97735b3b777e3baf8f22f2a14ed8

Workarounds

Wrap your allow_origin_pat value with ^ and $

References

https://github.com/jupyter-server/jupyter_server/pull/603
https://docs.python.org/3/library/re.html#re.fullmatch
https://docs.python.org/3/library/re.html#re.match

References

WEB https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-40110
WEB https://github.com/jupyter-server/jupyter_server/pull/603
WEB https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea
WEB https://github.com/jupyter-server/jupyter_server/commit/49b34392feaa97735b3b777e3baf8f22f2a14ed8
PACKAGE https://github.com/jupyter-server/jupyter_server

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes