CVE-2026-33175

High

Published: 03 April 2026

Published

03 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login…

to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the authentication bypass by requiring timely remediation of the flaw through patching to OAuthenticator version 17.4.0 or later.

IA-13 Identity Providers and Authorization Servers good match

prevent

Ensures secure selection, configuration, and monitoring of identity providers like Auth0 to prevent authentication bypass via unverified emails.

CM-6 Configuration Settings good match

prevent

Enforces secure configuration settings for OAuthenticator, such as avoiding email as username_claim with unverified Auth0 accounts, to block username control and account takeover.

Security SummaryAI

CVE-2026-33175 is an authentication bypass vulnerability (CWE-287, CWE-290) affecting OAuthenticator, a software component that enables OAuth2 identity providers to integrate with JupyterHub. Versions prior to 17.4.0 are vulnerable, particularly when using Auth0 as the identity provider and configuring email as the username_claim. Published on April 3, 2026, the flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An attacker with an unverified email address on an Auth0 tenant can exploit this vulnerability to bypass authentication and log in to JupyterHub. This grants the attacker control over their username selection and enables potential account takeover of existing users by claiming their email-based usernames. The low-privilege requirement (PR:L) aligns with the need for a basic, unverified account on the Auth0 tenant, making exploitation feasible over the network with low complexity and no user interaction.

The issue has been addressed in OAuthenticator version 17.4.0, as detailed in the project's security advisory (GHSA-rrvg-cxh4-qhrv), release notes, and patching commit. Security practitioners should upgrade to version 17.4.0 or later and review configurations using email as username_claim with Auth0 to mitigate risks.

Details

CWE(s): CWE-287 CWE-290

Affected Products

jupyter

oauthenticator

≤ 17.4.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-33175 is an authentication bypass vulnerability in OAuthenticator for the public-facing JupyterHub web application, directly enabling exploitation of a public-facing application for unauthorized access and potential account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/jupyterhub/oauthenticator/commit/f0c7002dc36e41efae0f674033cf7888a21d96f9
Patch · security-advisories@github.com
https://github.com/jupyterhub/oauthenticator/releases/tag/17.4.0
Product · security-advisories@github.com
https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-rrvg-cxh4-qhrv
Mitigation, Vendor Advisory · security-advisories@github.com