CVE-2026-40110: CWE-777: Regular Expression without Anchors in jupyter-server jupyter_server
Jupyter Server versions 2. 17. 0 and earlier contain a vulnerability in the Origin header validation due to improper use of Python's re. match() function without full anchoring. This allows an attacker controlling a domain with a name prefix matching a trusted domain to bypass CORS origin restrictions and make cross-origin requests to the Jupyter Server API from an untrusted site. The issue is fixed in version 2. 18. 0.
AI Analysis
Technical Summary
The vulnerability in jupyter_server (CVE-2026-40110) arises from the use of Python's re.match() for validating the Origin header against the allow_origin_pat configuration. Since re.match() anchors only at the start of the string and does not enforce a full match, a pattern intended to match a trusted domain (e.g., trusted.example.com) can be bypassed by origins starting with that domain but followed by additional characters (e.g., trusted.example.com.evil.com). This allows an attacker controlling such a domain to circumvent CORS restrictions and perform cross-origin API requests. The vulnerability affects versions up to 2.17.0 and is resolved in version 2.18.0.
Potential Impact
An attacker controlling a domain name that prefixes a trusted domain can bypass CORS origin restrictions on Jupyter Server API endpoints, potentially allowing unauthorized cross-origin requests. This could lead to unauthorized actions or data exposure via the API. The CVSS 4.0 score is 7.6 (high severity), reflecting network attack vector, low attack complexity, partial user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
Upgrade jupyter_server to version 2.18.0 or later where this issue is fixed. Since this is a code-level validation flaw, applying the official update is the recommended remediation. Patch status is confirmed fixed in version 2.18.0. No other vendor advisory or temporary mitigations are provided.
CVE-2026-40110: CWE-777: Regular Expression without Anchors in jupyter-server jupyter_server
Description
Jupyter Server versions 2. 17. 0 and earlier contain a vulnerability in the Origin header validation due to improper use of Python's re. match() function without full anchoring. This allows an attacker controlling a domain with a name prefix matching a trusted domain to bypass CORS origin restrictions and make cross-origin requests to the Jupyter Server API from an untrusted site. The issue is fixed in version 2. 18. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in jupyter_server (CVE-2026-40110) arises from the use of Python's re.match() for validating the Origin header against the allow_origin_pat configuration. Since re.match() anchors only at the start of the string and does not enforce a full match, a pattern intended to match a trusted domain (e.g., trusted.example.com) can be bypassed by origins starting with that domain but followed by additional characters (e.g., trusted.example.com.evil.com). This allows an attacker controlling such a domain to circumvent CORS restrictions and perform cross-origin API requests. The vulnerability affects versions up to 2.17.0 and is resolved in version 2.18.0.
Potential Impact
An attacker controlling a domain name that prefixes a trusted domain can bypass CORS origin restrictions on Jupyter Server API endpoints, potentially allowing unauthorized cross-origin requests. This could lead to unauthorized actions or data exposure via the API. The CVSS 4.0 score is 7.6 (high severity), reflecting network attack vector, low attack complexity, partial user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
Upgrade jupyter_server to version 2.18.0 or later where this issue is fixed. Since this is a code-level validation flaw, applying the official update is the recommended remediation. Patch status is confirmed fixed in version 2.18.0. No other vendor advisory or temporary mitigations are provided.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T01:41:38.536Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa665ccbff5d861029ec6f
Added to database: 5/5/2026, 9:51:24 PM
Last enriched: 5/5/2026, 10:06:27 PM
Last updated: 5/5/2026, 11:05:15 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.