CVE-2026-23528 is a cross-site scripting (XSS) vulnerability classified under CWE-80, CWE-79, and CWE-250, found in the Dask distributed task scheduler prior to version 2026.1.0. The vulnerability manifests when Dask distributed is used in conjunction with Jupyter Lab and jupyter-server-proxy, common in data science and distributed computing environments. An attacker can craft a specially constructed URL that targets the Dask dashboard proxied through Jupyter Lab. When a user clicks this URL, it opens an error page in the Dask dashboard that improperly sanitizes HTML content, allowing malicious scripts to execute in the context of the Jupyter Lab interface. This leads to execution of arbitrary code in the default Jupyter Python kernel without requiring authentication, relying solely on user interaction. The root cause is improper neutralization of script-related HTML tags, enabling injection of executable code. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity due to network attack vector, low complexity, no privileges or authentication required, but requiring user interaction. While no known exploits are reported in the wild, the potential for phishing attacks targeting users running these tools locally is significant. The issue is resolved in Dask distributed version 2026.1.0 by correcting the input sanitization in the dashboard error page.

For European organizations, especially those engaged in scientific research, data analytics, and distributed computing using Dask and Jupyter Lab, this vulnerability poses a risk of unauthorized code execution on developer or analyst machines. Successful exploitation could lead to compromise of sensitive data processed within Jupyter notebooks, unauthorized access to internal systems if pivoting is possible, and potential disruption of workflows. Since the attack vector involves phishing URLs targeting localhost services, the impact is primarily on end users who run these tools with default configurations. Confidentiality and integrity of data and code can be compromised, but availability impact is minimal. Organizations with remote or hybrid work environments may see increased risk due to phishing attack surfaces. The vulnerability could also be leveraged as a foothold for further lateral movement if combined with other vulnerabilities or misconfigurations.

European organizations should immediately upgrade Dask distributed to version 2026.1.0 or later to apply the fix. Additionally, organizations should enforce best practices such as disabling default ports or restricting access to Jupyter Lab and Dask dashboards via network controls or VPNs. Educate users to be cautious of unsolicited URLs, especially those targeting localhost services. Implement Content Security Policy (CSP) headers where possible to restrict script execution in web interfaces. Regularly audit and monitor logs for unusual access patterns to Jupyter and Dask dashboards. Consider isolating Jupyter and Dask environments using containerization or virtual machines to limit impact of potential exploitation. Finally, review and harden proxy configurations to prevent unauthorized access to internal dashboards.