CVE-2026-40934: CWE-613: Insufficient Session Expiration in jupyter-server jupyter_server
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.
AI Analysis
Technical Summary
Jupyter Server prior to version 2.18.0 persists the secret key used to sign authentication cookies in a static file (~/.local/share/jupyter/runtime/jupyter_cookie_secret) that is not rotated when a user changes their password. Consequently, any authentication cookie issued before the password reset remains valid, allowing an attacker who has captured such a cookie to maintain authenticated access despite password changes. This is a CWE-613 (Insufficient Session Expiration) vulnerability impacting password-based authentication, particularly in environments where session invalidation after credential changes is critical.
Potential Impact
An attacker who obtains a valid session cookie before a password reset can continue to access the Jupyter Server with full authentication privileges even after the password has been changed. This undermines the security expectation that password resets revoke existing sessions, potentially allowing unauthorized persistent access to sensitive data or functionality on affected servers.
Mitigation Recommendations
This vulnerability is fixed in Jupyter Server version 2.18.0. Users should upgrade to version 2.18.0 or later to ensure that the cookie signing secret is rotated upon password changes, invalidating previously issued authentication cookies. Since no official patch link or vendor advisory is provided, verify the upgrade and patch status from the official Jupyter Server release notes or repository. Patch status is not yet confirmed from vendor advisory; check vendor sources for current remediation guidance.
CVE-2026-40934: CWE-613: Insufficient Session Expiration in jupyter-server jupyter_server
Description
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0.
CVSS v4.0
Score 7.6high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Jupyter Server prior to version 2.18.0 persists the secret key used to sign authentication cookies in a static file (~/.local/share/jupyter/runtime/jupyter_cookie_secret) that is not rotated when a user changes their password. Consequently, any authentication cookie issued before the password reset remains valid, allowing an attacker who has captured such a cookie to maintain authenticated access despite password changes. This is a CWE-613 (Insufficient Session Expiration) vulnerability impacting password-based authentication, particularly in environments where session invalidation after credential changes is critical.
Potential Impact
An attacker who obtains a valid session cookie before a password reset can continue to access the Jupyter Server with full authentication privileges even after the password has been changed. This undermines the security expectation that password resets revoke existing sessions, potentially allowing unauthorized persistent access to sensitive data or functionality on affected servers.
Mitigation Recommendations
This vulnerability is fixed in Jupyter Server version 2.18.0. Users should upgrade to version 2.18.0 or later to ensure that the cookie signing secret is rotated upon password changes, invalidating previously issued authentication cookies. Since no official patch link or vendor advisory is provided, verify the upgrade and patch status from the official Jupyter Server release notes or repository. Patch status is not yet confirmed from vendor advisory; check vendor sources for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.518Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa665ccbff5d861029ec75
Added to database: 5/5/2026, 9:51:24 PM
Last enriched: 5/13/2026, 3:39:47 AM
Last updated: 6/20/2026, 7:34:05 AM
Views: 166
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.